CVE-2026-28860: Apple iPadOS Privilege Escalation Flaw

CVE-2026-28860 Overview

CVE-2026-28860 is an input validation flaw [CWE-20] across Apple's operating system family. A local attacker can leverage the issue to modify the state of the Keychain, the secure credential store used by macOS, iOS, and related platforms. Apple addressed the vulnerability through improved input validation in iOS 18.7.7, iPadOS 18.7.7, iOS 26.4, iPadOS 26.4, macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, and watchOS 26.4. The flaw affects integrity of stored credentials and authentication material without requiring user interaction on the target device.

Critical Impact
A local attacker can alter Keychain state, undermining the integrity of stored secrets used for authentication, encryption, and application identity across Apple platforms.

Affected Products

Apple iOS and iPadOS (versions prior to 18.7.7 and 26.4)
Apple macOS Sequoia, Sonoma, and Tahoe (prior to 15.7.5, 14.8.5, and 26.4)
Apple tvOS, visionOS, and watchOS (prior to 26.4)

Discovery Timeline

2026-05-11 - CVE-2026-28860 published to NVD
2026-05-12 - Last updated in NVD database

Technical Details for CVE-2026-28860

Vulnerability Analysis

The Keychain on Apple platforms stores passwords, cryptographic keys, certificates, and authentication tokens. CVE-2026-28860 originates in a component that accepts input destined for Keychain state operations without sufficient validation. A local attacker who can execute code or trigger crafted inputs against the affected interface can manipulate Keychain state in ways the system would normally reject.

The vulnerability is classified under CWE-20 (Improper Input Validation). Apple's advisory states the fix consists of improved input validation, indicating that malformed or unexpected parameters reached logic responsible for managing Keychain entries. While the CVSS vector lists a network attack vector, Apple's description explicitly scopes the impact to a local attacker modifying Keychain state.

Root Cause

The underlying code path did not adequately validate input before applying changes to Keychain state. Lack of boundary or semantic checks allowed a caller to influence operations on stored items, breaking the integrity guarantees the Keychain is designed to provide.

Attack Vector

Exploitation requires local access to a vulnerable Apple device, typically through a malicious application or compromised process. The attacker submits crafted input to the affected Keychain-related interface to modify state. Successful exploitation does not directly expose Keychain secrets but can corrupt or alter entries used by other applications and system services. No public proof-of-concept or in-the-wild exploitation has been reported, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog.

No verified exploitation code is publicly available. Refer to the Apple advisories for component-level details: Apple Support Document #126792 and the related per-platform advisories.

Detection Methods for CVE-2026-28860

Indicators of Compromise

Unexpected modifications, additions, or deletions of Keychain items not initiated by the user or a known administrative workflow.
Applications failing authentication or certificate validation due to altered Keychain entries.
Installation or execution of unsigned or unexpected local binaries preceding Keychain anomalies.

Detection Strategies

Audit security command-line activity and Keychain access logs on macOS endpoints for unusual write or delete operations.
Correlate Endpoint Security framework events (ES_EVENT_TYPE_NOTIFY_*) tied to Keychain databases with process provenance.
Track OS build versions across the fleet and flag devices running pre-patch releases of iOS, iPadOS, macOS, tvOS, visionOS, or watchOS.

Monitoring Recommendations

Forward macOS Unified Logs and MDM inventory data to a central analytics platform to identify unpatched Apple devices.
Monitor for new local processes interacting with securityd or Keychain files under ~/Library/Keychains/ and /Library/Keychains/.
Alert on privilege escalation or sandbox escape indicators that often precede local Keychain manipulation.

How to Mitigate CVE-2026-28860

Immediate Actions Required

Deploy Apple's patched OS releases through MDM: iOS/iPadOS 18.7.7 or 26.4, macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, and watchOS 26.4.
Inventory all Apple devices and prioritize updates on systems holding privileged credentials or development signing material.
Restrict installation of untrusted applications and enforce Gatekeeper, Notarization, and System Integrity Protection settings.

Patch Information

Apple released coordinated updates fixing CVE-2026-28860 across its platforms. Consult the vendor advisories: Apple Support Document #126792, #126793, #126794, #126795, #126796, #126797, #126798, and #126799.

Workarounds

No vendor-supplied workaround exists; apply the official OS updates.
Limit local code execution by enforcing application allowlists and removing unnecessary local administrator rights.
Rotate high-value credentials stored in the Keychain after patching to invalidate any state altered prior to remediation.

bash

# Verify patched macOS build and trigger software update enforcement
sw_vers -productVersion
sudo softwareupdate --install --all --restart

# Example MDM compliance check (pseudocode)
# Flag devices where ProductVersion < 15.7.5 (Sequoia), 14.8.5 (Sonoma), or 26.4 (Tahoe)