CVE-2026-28940 Overview
CVE-2026-28940 is a memory corruption vulnerability affecting multiple Apple operating systems. Processing a maliciously crafted image can corrupt process memory, enabling attackers to disrupt application state through network-delivered content. The flaw is categorized under [CWE-119], improper restriction of operations within the bounds of a memory buffer. Apple addressed the issue with improved memory handling in iOS 18.7.9, iPadOS 18.7.9, iOS 26.5, iPadOS 26.5, macOS Sequoia 15.7.7, macOS Tahoe 26.5, tvOS 26.5, and visionOS 26.5.
Critical Impact
A network-reachable attacker can trigger memory corruption on unpatched Apple devices by delivering a crafted image, with no privileges or user interaction required.
Affected Products
- Apple iOS and iPadOS (prior to 18.7.9 and 26.5)
- Apple macOS Sequoia (prior to 15.7.7) and macOS Tahoe (prior to 26.5)
- Apple tvOS 26.5 and visionOS 26.5
Discovery Timeline
- 2026-05-11 - CVE-2026-28940 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-28940
Vulnerability Analysis
The vulnerability resides in Apple's image processing pipeline shared across iOS, iPadOS, macOS, tvOS, and visionOS. When the affected components parse a maliciously crafted image, memory operations exceed intended boundaries and corrupt process memory. Apple's advisories describe the fix as "improved memory handling," indicating insufficient validation of image data during decoding.
The issue is reachable over the network without authentication and without user interaction. Image rendering frequently occurs in background processes, messaging clients, web browsers, and preview services, expanding the attack surface. Successful exploitation impacts process availability and integrity of in-memory state, with confidentiality consequences depending on the affected component.
Root Cause
The root cause is improper restriction of operations within memory buffer bounds [CWE-119] in image decoding routines. Specific parsing logic does not adequately validate structural fields or size parameters within the crafted image before performing memory operations, allowing out-of-bounds access during decode.
Attack Vector
An attacker delivers a crafted image through any channel that triggers Apple's image processing stack. Common vectors include web pages, email attachments, instant messages, AirDrop transfers, and embedded previews. The image does not require user action beyond normal content rendering, making drive-by exploitation feasible.
No public proof-of-concept exploit is available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. EPSS data places exploitation probability low at the time of publication.
Detection Methods for CVE-2026-28940
Indicators of Compromise
- Unexpected crashes in image rendering services such as ImageIO, MediaToolbox, or browser content processes on Apple endpoints.
- Repeated delivery of unusual image attachments (HEIC, TIFF, PNG, JPEG variants) from untrusted senders preceding application instability.
- Crash reports referencing memory access violations in image decoding frames.
Detection Strategies
- Monitor endpoint crash diagnostics and ReportCrash artifacts for image decoder faults across Apple devices.
- Inspect mail and messaging gateways for malformed image files with anomalous structure or oversized metadata sections.
- Correlate process crashes with recent image file ingestion across browser, messaging, and mail clients.
Monitoring Recommendations
- Track Apple OS version inventory and flag endpoints below the patched releases listed in Apple's advisories.
- Alert on repeated crashes of the same image-handling process within a short interval on a single host.
- Capture network telemetry for image-bearing traffic from low-reputation domains delivered to vulnerable endpoints.
How to Mitigate CVE-2026-28940
Immediate Actions Required
- Update affected devices to iOS 18.7.9, iPadOS 18.7.9, iOS 26.5, iPadOS 26.5, macOS Sequoia 15.7.7, macOS Tahoe 26.5, tvOS 26.5, or visionOS 26.5.
- Prioritize patching for devices that routinely process external images such as executive endpoints, mail servers, and shared workstations.
- Audit mobile device management (MDM) compliance to confirm fleet-wide deployment of patched builds.
Patch Information
Apple released fixes across its operating system lineup. Refer to the vendor advisories for component-specific notes: Apple Security Advisory 127110, Apple Security Advisory 127111, Apple Security Advisory 127115, Apple Security Advisory 127116, Apple Security Advisory 127118, and Apple Security Advisory 127120.
Workarounds
- Restrict automatic image previews in mail and messaging clients where feasible until patches are deployed.
- Block or quarantine inbound image attachments from untrusted senders at email and web gateways.
- Enforce MDM policies that mandate timely OS updates and report non-compliant devices.
# Verify macOS build version against patched releases
sw_vers -productVersion
# Trigger software update check on macOS
sudo softwareupdate --list
sudo softwareupdate --install --all --restart
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
