CVE-2026-28943 Overview
CVE-2026-28943 is an information disclosure vulnerability affecting multiple Apple operating systems. The flaw stems from insufficient data redaction in system logs [CWE-532], allowing a local application to determine kernel memory layout. Apple addressed the issue with improved data redaction across iOS, iPadOS, macOS, tvOS, watchOS, and visionOS.
The vulnerability impacts confidentiality by exposing kernel memory layout information that attackers can use to bypass Kernel Address Space Layout Randomization (KASLR). This information leak weakens a foundational exploit mitigation and aids chained attacks targeting kernel-level vulnerabilities.
Critical Impact
An application can read sensitive log data to determine kernel memory layout, undermining KASLR and enabling reliable kernel exploitation as part of a chained attack.
Affected Products
- Apple iOS and iPadOS (fixed in 18.7.9 and 26.5)
- Apple macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5
- Apple tvOS 26.5, watchOS 26.5, visionOS
Discovery Timeline
- 2026-05-11 - CVE-2026-28943 published to NVD
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2026-28943
Vulnerability Analysis
The vulnerability is classified under [CWE-532]: Insertion of Sensitive Information into Log File. Apple's affected components wrote kernel memory addresses or related layout information into log output without sufficient redaction. Any application with permission to read these logs could extract values that reveal the kernel's runtime memory layout.
Kernel memory layout disclosure defeats KASLR, the randomization mitigation that places kernel code and data at unpredictable addresses on each boot. Once an attacker knows kernel base addresses or slide values, exploit primitives for separate kernel vulnerabilities become reliable rather than probabilistic.
The issue does not, by itself, grant code execution. Its value lies in chained exploitation, where it pairs with a memory corruption or logic flaw to achieve kernel-level compromise on iPhone, iPad, Mac, Apple TV, Apple Watch, or Vision Pro devices.
Root Cause
The root cause is improper log sanitization. Diagnostic or system log entries contained kernel pointers or memory layout artifacts that should have been redacted before being written. Apple's fix introduces improved data redaction in the logging pipeline so sensitive kernel addresses no longer appear in accessible log output.
Attack Vector
Exploitation requires an attacker-controlled application running on the device. The malicious app reads the relevant system logs and parses the unredacted entries to recover kernel layout details. The disclosed values are then used to compute reliable kernel target addresses for follow-on exploitation.
The vulnerability does not require user interaction beyond installing or executing the attacker's application. It is most relevant in scenarios involving sandboxed apps attempting privilege escalation, jailbreak chains, or commercial mercenary spyware payloads targeting Apple devices.
Detection Methods for CVE-2026-28943
Indicators of Compromise
- Applications enumerating or reading from system log facilities such as os_log, unified logging stores, or /var/log paths on macOS without a legitimate diagnostic purpose.
- Unsigned or sideloaded applications invoking log access APIs shortly after launch.
- Processes exporting log archives (.logarchive) or running log show / log collect with broad predicates on endpoint devices.
Detection Strategies
- Inventory Apple endpoints and flag any device still running iOS/iPadOS earlier than 18.7.9 or 26.5, macOS Sonoma earlier than 14.8.7, macOS Sequoia earlier than 15.7.7, macOS Tahoe earlier than 26.5, or tvOS/watchOS earlier than 26.5.
- Monitor MDM telemetry for OS build strings to confirm patch deployment status across managed devices.
- Hunt for applications that request log entitlements or access private logging frameworks without justification in the app's stated functionality.
Monitoring Recommendations
- Enable centralized log forwarding from managed Macs and review processes that read or export the unified log store.
- Track app installs from non-App Store sources and correlate against subsequent log access activity.
- Establish alerts on MDM compliance dashboards for devices missing the May 2026 Apple security updates.
How to Mitigate CVE-2026-28943
Immediate Actions Required
- Update all Apple devices to iOS 18.7.9 or iOS 26.5, iPadOS 18.7.9 or iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, or watchOS 26.5 as applicable.
- Push the updates through Mobile Device Management (MDM) and enforce minimum OS version policies for corporate access.
- Restrict installation of unsigned or unvetted applications, particularly on devices that handle sensitive data.
Patch Information
Apple released coordinated fixes documented in support articles HT127110, HT127111, HT127115, HT127116, HT127117, HT127118, and HT127119. The fix improves data redaction in logging so kernel memory layout information is no longer written to accessible logs.
Workarounds
- No vendor-supplied workaround exists; applying the security update is the only complete mitigation.
- Reduce risk in the interim by limiting app installations to the App Store and removing applications that request log access without a clear purpose.
- Use MDM configuration profiles to restrict diagnostic log access and developer tooling on production devices.
# Verify the installed OS build on macOS to confirm patch level
sw_vers
# Verify the iOS/iPadOS version of a supervised device via MDM query
# (example using mdmclient on macOS-managed contexts)
sudo mdmclient QueryDeviceInformation | grep -i osversion
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
