CVE-2026-43654 Overview
CVE-2026-43654 is a kernel memory disclosure vulnerability affecting multiple Apple operating systems. The issue allows a malicious application to read kernel memory contents, potentially exposing sensitive information such as cryptographic keys, address space layouts, and other privileged data. Apple addressed the flaw with improved memory handling across iOS, iPadOS, macOS, tvOS, visionOS, and watchOS. The vulnerability is classified under [CWE-497] (Exposure of Sensitive System Information to an Unauthorized Control Sphere).
Critical Impact
A locally installed application can disclose kernel memory contents, undermining kernel address space layout randomization (KASLR) and exposing sensitive data that may enable follow-on privilege escalation attacks.
Affected Products
- Apple iOS and iPadOS (versions prior to 18.7.9 and 26.5)
- Apple macOS Sequoia (prior to 15.7.7), macOS Sonoma (prior to 14.8.7), and macOS Tahoe (prior to 26.5)
- Apple tvOS, visionOS, and watchOS (versions prior to 26.5)
Discovery Timeline
- 2026-05-11 - CVE-2026-43654 published to NVD
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2026-43654
Vulnerability Analysis
The vulnerability allows an unprivileged application running on an affected Apple operating system to read regions of kernel memory that should be inaccessible to user space. According to Apple's advisories, the root cause involves improper memory handling within a kernel component. Apple resolved the issue by introducing improved memory handling logic in the affected code paths.
Kernel memory disclosure flaws are particularly valuable to attackers because they can defeat KASLR. By leaking kernel pointers or structure contents, an attacker can locate exploitable primitives and chain this disclosure with a memory corruption vulnerability to achieve kernel-level code execution. The bug does not, by itself, grant write access or code execution.
Root Cause
The underlying weakness corresponds to [CWE-497], in which sensitive system information stored in kernel memory is exposed to an unauthorized control sphere. Apple's advisories indicate the fix involved improved memory handling, suggesting the original code did not properly initialize, bound, or sanitize a memory region before returning data to user space.
Attack Vector
Exploitation requires the attacker to run code on the target device, typically through a malicious or compromised application. While the CVSS vector lists a network attack vector, practical exploitation requires an app installed on the device to invoke the vulnerable kernel interface. The attacker receives kernel memory contents that can be parsed for pointers, credentials, or structure data useful in a multi-stage exploit chain.
No public proof-of-concept exploit is available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. See the Apple Support Article #127110 for vendor technical details.
Detection Methods for CVE-2026-43654
Indicators of Compromise
- Unexpected applications making frequent or unusual kernel API calls that return memory buffers.
- Devices running outdated OS builds below iOS 18.7.9, iPadOS 18.7.9, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, or any 26.x release earlier than 26.5.
- Crash reports or kernel panics correlated with newly installed third-party applications.
Detection Strategies
- Inventory all Apple endpoints and compare installed OS versions against the patched baseline to identify exposed devices.
- Monitor mobile device management (MDM) reports and endpoint telemetry for applications requesting unusual entitlements or making anomalous kernel syscalls.
- Review application provenance and code signing status, focusing on sideloaded or enterprise-signed binaries that may host exploit payloads.
Monitoring Recommendations
- Forward macOS unified logs and MDM compliance data to a central analytics platform to track patch state and suspicious process behavior.
- Alert on processes that repeatedly invoke kernel interfaces associated with the patched components after the fix is deployed.
- Track Apple security advisories for related kernel CVEs and correlate with EPSS score changes — currently 0.048% at the 15.006 percentile.
How to Mitigate CVE-2026-43654
Immediate Actions Required
- Update all Apple devices to iOS 18.7.9, iPadOS 18.7.9, iOS 26.5, iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, or watchOS 26.5.
- Enforce minimum OS versions through MDM compliance policies and block non-compliant devices from sensitive resources.
- Audit installed applications and remove untrusted or unnecessary third-party software from managed fleets.
Patch Information
Apple released fixed builds across its operating system portfolio. Refer to the corresponding vendor advisories: Apple Support Article #127110, #127111, #127115, #127116, #127117, #127118, #127119, and #127120.
Workarounds
- No vendor-provided workaround exists; patching is the only complete remediation.
- Restrict application installation to vetted App Store sources and disable sideloading where supported.
- Enable automatic OS updates on managed and personal devices to reduce exposure windows for future kernel disclosures.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
