CVE-2026-28868 Overview
A logging vulnerability (CWE-532: Insertion of Sensitive Information into Log File) has been identified across multiple Apple operating systems. The vulnerability stems from improper data redaction in the logging subsystem, which can allow a malicious application to disclose kernel memory contents. Apple has addressed this issue with improved data redaction mechanisms in the affected logging components.
Critical Impact
A local attacker with user interaction can leverage a malicious app to read sensitive kernel memory, potentially exposing cryptographic keys, authentication tokens, or other sensitive system information.
Affected Products
- Apple iOS 18.7.7 and earlier, iOS 26.4 and earlier
- Apple iPadOS 18.7.7 and earlier, iPadOS 26.4 and earlier
- Apple macOS Sequoia 15.7.5 and earlier, macOS Sonoma 14.8.5 and earlier, macOS Tahoe 26.4 and earlier
- Apple visionOS 26.4 and earlier
- Apple watchOS 26.4 and earlier
Discovery Timeline
- March 25, 2026 - CVE-2026-28868 published to NVD
- March 25, 2026 - Last updated in NVD database
Technical Details for CVE-2026-28868
Vulnerability Analysis
This vulnerability belongs to the Information Disclosure category, specifically involving sensitive data exposure through improper logging practices. The flaw exists within Apple's logging subsystem, which failed to properly redact kernel memory addresses and contents before writing to system logs.
When certain kernel operations are logged, the system inadvertently includes memory contents that should have been sanitized or excluded from log output. A malicious application running on the affected device can access these logs and extract sensitive kernel memory information, potentially revealing security-critical data such as memory layout information useful for bypassing Address Space Layout Randomization (ASLR), kernel pointers, or other sensitive system state.
The attack requires local access and user interaction, as the victim must install and run a malicious application. However, given the prevalence of third-party app installation on Apple devices, this presents a realistic attack scenario.
Root Cause
The root cause of CVE-2026-28868 is classified as CWE-532 (Insertion of Sensitive Information into Log File). The logging subsystem across multiple Apple operating systems failed to implement proper data redaction filters for kernel memory references. When diagnostic or operational logging captured system events, the redaction mechanisms did not adequately sanitize kernel memory pointers and associated data, allowing this information to persist in accessible log files.
Attack Vector
The attack vector for this vulnerability is local, requiring an attacker to deliver and execute a malicious application on the target device. The exploitation flow involves:
- An attacker distributes a malicious application through social engineering or potentially through app store mechanisms
- The victim installs and runs the application on their Apple device
- The malicious app accesses system logs through available APIs
- The app parses log entries to extract improperly redacted kernel memory information
- The extracted data can be used for further attacks or exfiltrated to the attacker
The vulnerability does not require elevated privileges to exploit, but does require user interaction to install and launch the malicious application. The confidentiality impact is high as kernel memory disclosure can reveal sensitive system information.
Detection Methods for CVE-2026-28868
Indicators of Compromise
- Unusual application behavior involving repeated or bulk access to system log files
- Applications attempting to access log directories such as /var/log/ or using the Unified Logging system APIs extensively
- Outbound network connections from applications after accessing system logs
- Presence of applications from untrusted sources on affected devices
Detection Strategies
- Monitor for applications making excessive calls to OSLog APIs or accessing system log storage locations
- Implement application behavioral analysis to detect abnormal log access patterns
- Deploy endpoint detection solutions capable of identifying applications attempting to read kernel-related log entries
- Review Mobile Device Management (MDM) logs for unauthorized application installations
Monitoring Recommendations
- Enable enhanced logging for application activity on managed devices
- Configure security information and event management (SIEM) systems to alert on suspicious log access patterns
- Implement regular audits of installed applications on enterprise-managed Apple devices
- Monitor for applications requesting permissions beyond their stated functionality
How to Mitigate CVE-2026-28868
Immediate Actions Required
- Update all affected Apple devices to the latest patched versions immediately
- Review installed applications and remove any from untrusted sources
- Enable automatic updates on all Apple devices to receive security patches promptly
- For enterprise environments, use MDM solutions to enforce software update policies
Patch Information
Apple has released security updates addressing this vulnerability across all affected platforms. Administrators and users should update to the following versions or later:
- iOS 18.7.7 or iOS 26.4 - See Apple Support Advisory #126793
- iPadOS 18.7.7 or iPadOS 26.4 - See Apple Support Advisory #126794
- macOS Sequoia 15.7.5 - See Apple Support Advisory #126795
- macOS Sonoma 14.8.5 - See Apple Support Advisory #126796
- macOS Tahoe 26.4 - See Apple Support Advisory #126798
- visionOS 26.4 - See Apple Support Advisory #126799
- watchOS 26.4 - See Apple Support Advisory #126792
Workarounds
- Restrict application installations to trusted sources only (App Store for consumer devices, approved enterprise app catalogs for managed devices)
- Implement Mobile Device Management (MDM) policies to prevent installation of unsigned or unauthorized applications
- Enable App Store review protections and parental controls where appropriate
- Regularly audit device logs and installed applications for suspicious activity
# Check current macOS version
sw_vers
# Check for available updates on macOS
softwareupdate --list
# Install all available updates on macOS
softwareupdate --install --all
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
