CVE-2026-28936 Overview
CVE-2026-28936 is an improper input validation vulnerability [CWE-20] affecting multiple Apple operating systems. Processing a maliciously crafted file can lead to unexpected application termination, resulting in a denial-of-service condition. Apple addressed the issue with improved checks across iOS, iPadOS, macOS, and visionOS. The flaw is reachable over the network with no privileges or user interaction required, per the published CVSS vector. Apple has released patches in iOS 18.7.9, iPadOS 18.7.9, iOS 26.5, iPadOS 26.5, macOS Sonoma 14.8.7, macOS Tahoe 26.5, and visionOS 26.5.
Critical Impact
A remote attacker can deliver a crafted file that triggers unexpected termination of the processing application across iOS, iPadOS, macOS, and visionOS devices.
Affected Products
- Apple iOS and iPadOS (fixed in 18.7.9 and 26.5)
- Apple macOS Sonoma (fixed in 14.8.7) and macOS Tahoe (fixed in 26.5)
- Apple visionOS (fixed in 26.5)
Discovery Timeline
- 2026-05-11 - CVE-2026-28936 published to the National Vulnerability Database (NVD)
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2026-28936
Vulnerability Analysis
The vulnerability is classified as improper input validation [CWE-20] in file-processing logic shared across Apple's operating systems. When an affected application parses a maliciously crafted file, missing or insufficient validation checks cause the process to terminate unexpectedly. Apple's advisory states the issue was addressed with improved checks, indicating that the parser failed to verify structural constraints before acting on attacker-controlled data. The result is an availability impact on the affected application without confirmed confidentiality or integrity consequences.
Root Cause
The root cause is missing validation on fields within a file format processed by Apple platform components. Without adequate checks, malformed input drives the application into an unrecoverable state. Apple's patch introduces additional validation in the affected parsing routines to reject malformed input before downstream code consumes it.
Attack Vector
An attacker delivers a crafted file to a target through any channel that causes the file to be processed by a vulnerable component. Common delivery paths include email attachments, web downloads, messaging apps, and shared cloud storage. No authentication or user interaction beyond opening or previewing the file is required for the parsing component to process the input. Successful exploitation produces a crash of the consuming application, disrupting workflows that rely on the affected file type.
No public proof-of-concept exploit is currently available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Detection Methods for CVE-2026-28936
Indicators of Compromise
- Repeated unexpected termination of the same application immediately after opening or previewing a file on iOS, iPadOS, macOS, or visionOS.
- Crash reports under ~/Library/Logs/DiagnosticReports/ on macOS referencing the affected parsing component with a faulting input file.
- Inbound delivery of unsolicited files via email, messaging, or web download immediately preceding application crashes.
Detection Strategies
- Monitor endpoint telemetry for abnormal process termination events correlated with recent file-open activity.
- Inspect mail and web gateway logs for delivery of file types associated with the affected components and triage clusters of similar files reaching multiple users.
- Track Apple platform versions across the fleet and flag devices running builds earlier than iOS 18.7.9, iPadOS 18.7.9, iOS 26.5, iPadOS 26.5, macOS Sonoma 14.8.7, macOS Tahoe 26.5, or visionOS 26.5.
Monitoring Recommendations
- Centralize macOS and iOS crash reports and alert on parser-related signatures occurring repeatedly across endpoints.
- Correlate file delivery events with subsequent application crashes within short time windows to identify probing or targeted delivery.
- Maintain an OS version inventory and alert when unpatched Apple devices process files from untrusted sources.
How to Mitigate CVE-2026-28936
Immediate Actions Required
- Update all Apple devices to iOS 18.7.9, iPadOS 18.7.9, iOS 26.5, iPadOS 26.5, macOS Sonoma 14.8.7, macOS Tahoe 26.5, or visionOS 26.5 as applicable.
- Prioritize patching of devices that routinely process files from external senders, including executive, finance, and support staff endpoints.
- Enforce automatic updates through mobile device management (MDM) policies to close the exposure window across managed fleets.
Patch Information
Apple has published fixes in the following advisories: Apple Support Document #127110, Apple Support Document #127111, Apple Support Document #127115, Apple Support Document #127117, and Apple Support Document #127120. Apply the OS update that corresponds to each device's platform and major version.
Workarounds
- Avoid opening files received from untrusted or unverified senders until patches are deployed.
- Block or quarantine high-risk file types at email and web gateways for users who cannot update immediately.
- Restrict file previewing in messaging and collaboration applications on devices that remain on vulnerable OS versions.
# Verify macOS build version against the patched releases
sw_vers -productVersion
# Trigger software update check on macOS
sudo softwareupdate -l
sudo softwareupdate -ia --restart
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
