CVE-2026-28972 Overview
CVE-2026-28972 is an out-of-bounds write vulnerability [CWE-787] affecting multiple Apple operating systems. A malicious application can trigger unexpected system termination or write to kernel memory by supplying inputs that bypass boundary checks. Apple addressed the flaw through improved input validation across its operating system families. The issue affects iOS, iPadOS, macOS Sequoia, macOS Sonoma, macOS Tahoe, tvOS, visionOS, and watchOS. Patched releases include iOS 18.7.9, iPadOS 18.7.9, iOS 26.5, iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, and watchOS 26.5.
Critical Impact
A locally installed application can write to kernel memory, enabling system crashes or potential kernel-level compromise on unpatched Apple devices.
Affected Products
- Apple iOS and iPadOS (versions prior to 18.7.9 and 26.5)
- Apple macOS Sequoia (prior to 15.7.7), macOS Sonoma (prior to 14.8.7), and macOS Tahoe (prior to 26.5)
- Apple tvOS, visionOS, and watchOS (prior to 26.5)
Discovery Timeline
- 2026-05-11 - CVE-2026-28972 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-28972
Vulnerability Analysis
The vulnerability is an out-of-bounds write condition reachable from an application context. When an app submits crafted input to an affected operating system component, the component writes data past the bounds of an allocated buffer. Because the write can land in kernel memory, it can corrupt kernel data structures and destabilize the system. Apple states that an app may cause unexpected system termination or write kernel memory.
The issue is tracked under [CWE-787: Out-of-bounds Write]. Kernel memory writes from a userland application represent a privilege boundary violation, since the kernel is intended to be isolated from app-level code. Apple resolved the flaw through improved input validation in the affected code path.
Root Cause
The root cause is insufficient validation of input parameters before performing a memory write operation. The vulnerable code path accepted attacker-controlled values without verifying that the destination offset or length stayed within allocated boundaries. The fix introduces additional bounds checks before the write executes.
Attack Vector
Exploitation requires an application running on the target device to invoke the vulnerable interface. Successful exploitation can corrupt kernel memory or terminate the system. No public proof-of-concept or in-the-wild exploitation has been reported for CVE-2026-28972, and it is not listed in the CISA Known Exploited Vulnerabilities catalog.
No verified code examples are available. See the Apple Support Document #127110 and related advisories for additional technical context.
Detection Methods for CVE-2026-28972
Indicators of Compromise
- Unexpected kernel panics or system reboots correlated with the launch of a specific application.
- Crash reports referencing memory corruption faults in kernel extensions on affected OS versions.
- Installation of unsigned or unverified applications immediately preceding system instability events.
Detection Strategies
- Inventory Apple endpoints and compare installed OS versions against the patched releases listed by Apple.
- Monitor MDM-reported OS build numbers to identify devices running pre-patch versions of iOS, iPadOS, macOS, tvOS, visionOS, or watchOS.
- Review application telemetry for processes triggering repeated kernel faults or panic logs.
Monitoring Recommendations
- Collect and centralize macOS and iOS crash logs to identify clusters of kernel-level faults.
- Track application installation events on managed Apple devices and correlate with system stability metrics.
- Alert on devices that remain on vulnerable OS builds beyond your defined patch SLA.
How to Mitigate CVE-2026-28972
Immediate Actions Required
- Update affected Apple devices to the fixed releases: iOS/iPadOS 18.7.9, iOS/iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, and watchOS 26.5.
- Prioritize updates on devices where users install applications from outside managed app catalogs.
- Enforce update compliance through Mobile Device Management (MDM) policies.
Patch Information
Apple released fixes across its operating system families. Refer to the vendor advisories for build-specific details: Apple Support Document #127110, #127111, #127115, #127116, #127117, #127118, #127119, and #127120.
Workarounds
- Restrict application installation to vetted sources and enforce code signing requirements on managed macOS devices.
- Use MDM to block sideloading and limit installation of untrusted applications on iOS, iPadOS, and related platforms.
- Where patching is delayed, isolate vulnerable devices from sensitive workloads until updates are applied.
# Verify current macOS version against the patched release
sw_vers -productVersion
# Example: list managed Apple devices and their OS versions via MDM API
# (replace with your MDM's specific command or query)
# mdmctl list-devices --fields=udid,osVersion
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
