CVE-2026-28994 Overview
CVE-2026-28994 is a use-after-free vulnerability [CWE-416] affecting the Wi-Fi packet handling logic in multiple Apple operating systems. An attacker in a privileged network position can send crafted Wi-Fi packets to trigger memory corruption, resulting in a denial-of-service condition on the target device. Apple addressed the issue with improved memory management across iOS, iPadOS, macOS, tvOS, and watchOS releases. The vulnerability requires adjacent network access and high attack complexity, but no privileges or user interaction.
Critical Impact
A remote attacker on the same Wi-Fi network can crash or destabilize iPhones, iPads, Macs, Apple TVs, and Apple Watches using malformed wireless frames.
Affected Products
- Apple iOS prior to 18.7.9 and iOS 26.5; iPadOS prior to 18.7.9 and iPadOS 26.5
- Apple macOS Sequoia prior to 15.7.7, macOS Sonoma prior to 14.8.7, and macOS Tahoe prior to 26.5
- Apple tvOS prior to 26.5 and watchOS prior to 26.5
Discovery Timeline
- 2026-05-11 - CVE-2026-28994 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-28994
Vulnerability Analysis
The flaw resides in the Wi-Fi subsystem responsible for parsing and processing incoming 802.11 frames. Apple's advisories describe the defect as a use-after-free condition that occurs when crafted Wi-Fi packets trigger reuse of memory after it has been released. Successful exploitation produces a denial-of-service outcome rather than code execution or data disclosure. The attack vector is limited to adjacent networks, meaning the attacker must be associated with or within radio range of the same wireless network as the target.
Root Cause
The root cause is improper lifetime management of an object within the Wi-Fi packet processing path. When specific packet sequences arrive, code references a freed memory region, leading to memory corruption and process termination. Apple's fix introduces improved memory management to ensure freed objects are no longer accessed by subsequent operations.
Attack Vector
Exploitation requires the attacker to be in a privileged network position adjacent to the victim, such as on the same Wi-Fi network or operating a rogue access point in proximity. The attacker transmits crafted Wi-Fi frames designed to drive the device into the vulnerable code path. No authentication or user interaction is required. The result is a denial-of-service that can repeatedly crash networking services or the device itself.
No verified public proof-of-concept code is available for this issue. Refer to the Apple Support Advisory #127110 and related advisories for technical context.
Detection Methods for CVE-2026-28994
Indicators of Compromise
- Unexpected Wi-Fi disconnects, kernel panics, or device reboots on Apple endpoints connected to a specific wireless network
- Repeated wifid or kernel crash reports in macOS diagnostic logs referencing the 802.11 stack
- Anomalous volumes of malformed or oversized 802.11 management or data frames observed by wireless intrusion detection sensors
Detection Strategies
- Monitor endpoint telemetry for crash signatures originating in Wi-Fi driver components and correlate with nearby wireless activity
- Deploy wireless intrusion detection systems (WIDS) to flag malformed frames, deauthentication storms, and rogue access points
- Centralize macOS and iOS crash diagnostics for retrospective analysis when DoS events are reported
Monitoring Recommendations
- Track Apple device OS build versions across the fleet to identify systems still running pre-patch releases
- Alert on clusters of Wi-Fi disconnects affecting multiple Apple devices on the same SSID within a short window
- Review wireless access point logs for unusual association or probe-request patterns preceding device crashes
How to Mitigate CVE-2026-28994
Immediate Actions Required
- Update affected Apple devices to iOS 18.7.9 or 26.5, iPadOS 18.7.9 or 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, or watchOS 26.5
- Prioritize patching for devices that routinely connect to untrusted or public Wi-Fi networks
- Validate MDM-managed fleets enforce the minimum patched OS versions and quarantine non-compliant devices
Patch Information
Apple released coordinated security updates documented in advisories #127110, #127111, #127115, #127116, #127117, #127118, and #127119. The fix addresses the use-after-free with improved memory management in the Wi-Fi component.
Workarounds
- Disable Wi-Fi on unpatched devices when not required, or restrict use to trusted enterprise networks with WPA3 enforcement
- Avoid connecting unpatched Apple devices to public or untrusted wireless networks until updates are applied
- Segment guest and corporate wireless networks to limit adjacency between unmanaged clients and managed Apple endpoints
# Verify installed OS version on macOS
sw_vers -productVersion
# Trigger software update check on macOS
sudo softwareupdate --list
sudo softwareupdate --install --all --restart
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
