CVE-2026-43655 Overview
CVE-2026-43655 is an out-of-bounds read vulnerability [CWE-125] affecting multiple Apple operating systems. Apple addressed the issue with improved bounds checking across iOS, iPadOS, macOS, tvOS, and watchOS. A malicious application can exploit this flaw to cause unexpected system termination or read kernel memory contents.
The vulnerability impacts a wide range of Apple devices, including iPhones, iPads, Macs, Apple TVs, and Apple Watches. Apple delivered fixes in iOS 26.5, iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, and watchOS 26.5.
Critical Impact
An app may be able to cause unexpected system termination or read kernel memory, potentially exposing sensitive data used to bypass kernel address space layout randomization (KASLR).
Affected Products
- Apple iOS and iPadOS (prior to 26.5)
- Apple macOS Tahoe (prior to 26.5)
- Apple tvOS and watchOS (prior to 26.5)
Discovery Timeline
- 2026-05-11 - CVE-2026-43655 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-43655
Vulnerability Analysis
The vulnerability is an out-of-bounds read [CWE-125] in an Apple operating system component. The affected code path failed to validate buffer boundaries before performing a read operation. As a result, the routine could access memory outside the intended buffer region.
This class of flaw exposes adjacent memory contents to a caller that should not have access. On Apple platforms, the impact extends to kernel memory disclosure, which can reveal pointers, structures, and randomization values useful for further exploitation. The same condition can also trigger a kernel panic, producing an unexpected system termination.
The vulnerability is reachable by a local application. Apple's advisories do not require user interaction beyond running the malicious app on an affected device.
Root Cause
The root cause is missing or insufficient bounds checking on a memory access within the affected component. Apple's fix introduces improved bounds checking to ensure read operations stay within the allocated buffer. Specific implementation details and the affected component name are not disclosed in the public advisory.
Attack Vector
An attacker delivers a crafted application to a target device. When executed, the application invokes the vulnerable interface with parameters that trigger the out-of-bounds read. The app then either crashes the system or harvests leaked kernel memory for use in a multi-stage exploit chain.
No verified proof-of-concept code is publicly available. See the Apple Support Document #127110 for vendor details.
Detection Methods for CVE-2026-43655
Indicators of Compromise
- Unexpected kernel panics or system reboots on Apple devices, particularly correlated with the launch of a newly installed application.
- Crash reports in /Library/Logs/DiagnosticReports/ referencing kernel address faults or out-of-bounds memory access patterns.
- Installation of applications from outside the App Store or from unverified developer accounts on managed devices.
Detection Strategies
- Monitor mobile device management (MDM) telemetry for OS version compliance and flag devices running pre-26.5 builds.
- Review diagnostic and crash logs for repeated panics tied to a specific process or bundle identifier.
- Correlate application install events with subsequent system stability anomalies across the fleet.
Monitoring Recommendations
- Ingest macOS unified logs and iOS crash reports into a centralized analytics platform for cross-device pattern analysis.
- Track application provenance and code signatures to identify unsigned or recently sideloaded binaries.
- Alert on devices that fall behind the patched OS baseline once Apple security updates are released.
How to Mitigate CVE-2026-43655
Immediate Actions Required
- Update all Apple devices to iOS 26.5, iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, or watchOS 26.5 as applicable.
- Enforce OS update compliance through MDM policies and block enrollment of devices on outdated builds.
- Restrict installation of applications to vetted sources and review existing app inventories for unknown publishers.
Patch Information
Apple released fixes in iOS 26.5, iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, and watchOS 26.5. Refer to the vendor advisories for the full list of addressed CVEs and device compatibility: Apple Support Document #127110, Apple Support Document #127115, Apple Support Document #127118, and Apple Support Document #127119.
Workarounds
- No vendor-supplied workaround exists. Apply the security update as the primary remediation.
- Limit application installation rights and disable sideloading where supported by enterprise configuration profiles.
- Educate users to avoid running applications from untrusted developers until devices are patched.
# Verify macOS version after patching
sw_vers -productVersion
# Check pending software updates on macOS
softwareupdate --list
# Install all available updates and restart if required
sudo softwareupdate -ia --restart
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
