ESB-2026.4981
=========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2026.4981 APPLE-SA-05-11-2026-2 iOS 18.7.9 and iPadOS 18.7.9 12 May 2026 =========================================================================== AUSCERT Security Bulletin Summary --------------------------------- Product: Apple iOS Apple iPadOS Publisher: Apple Operating System: Apple iOS Resolution: Patch/Upgrade CVE Names: CVE-2026-28951 CVE-2026-28972 CVE-2026-28986 CVE-2026-28987 CVE-2026-28983 CVE-2026-43653 CVE-2026-43668 CVE-2026-43666 CVE-2026-28940 CVE-2026-28906 CVE-2026-43656 CVE-2026-28846 CVE-2026-28993 CVE-2026-28957 CVE-2026-43660 CVE-2026-28907 CVE-2026-28962 CVE-2026-28847 CVE-2026-28904 CVE-2026-28955 CVE-2026-28903 CVE-2026-28953 CVE-2026-28877 CVE-2026-28917 CVE-2026-28894 CVE-2026-28994 CVE-2026-28920 CVE-2026-28872 CVE-2026-28954 CVE-2026-28870 CVE-2026-28952 CVE-2026-28929 CVE-2026-28941 CVE-2026-28873 CVE-2026-28819 CVE-2026-28882 CVE-2026-28959 CVE-2026-28995 CVE-2026-39869 CVE-2026-28936 CVE-2026-43659 CVE-2026-28977 CVE-2026-28992 CVE-2026-28943 CVE-2026-28969 CVE-2026-43654 CVE-2026-28897 Original Bulletin: https://support.apple.com/en-us/127111 Comment: CVSS (Max): 7.5* CVE-2026-28894 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSS Source: NIST, [CISA-ADP] Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * Not all CVSS available when published EPSS (Max): 0.2% (42nd)* CVE-2026-28894 2026-05-11 * Not all EPSS found when published - --------------------------BEGIN INCLUDED TEXT-------------------- APPLE-SA-05-11-2026-2 iOS 18.7.9 and iPadOS 18.7.9 iOS 18.7.9 and iPadOS 18.7.9 addresses the following issues. Information about the security content is also available at https://support.apple.com/en-us/127111. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. Accounts Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation Impact: An app may be able to access sensitive user data Description: An authorization issue was addressed with improved state management. CVE-2026-28877: Rosyna Keller of Totally Not Malicious Software APFS Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation Impact: An app may be able to cause unexpected system termination Description: A buffer overflow was addressed with improved bounds checking. CVE-2026-28959: Dave G. App Intents Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation Impact: A malicious app may be able to break out of its sandbox Description: A logic issue was addressed with improved restrictions. CVE-2026-28995: Vamshi Paili, Tony Gorez (@tonygo_) for Reverse Society Audio Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation Impact: Processing an audio stream in a maliciously crafted media file may terminate the process Description: The issue was addressed with improved memory handling. CVE-2026-39869: David Ige of Beryllium Security Calendar Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation Impact: A remote attacker may be able to cause a denial-of-service Description: A resource exhaustion issue was addressed with improved input validation. CVE-2026-28872: Alvin Aries Tapia Calling Framework Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation Impact: A remote attacker may be able to cause a denial-of-service Description: A denial-of-service issue was addressed with improved input validation. CVE-2026-28894: an anonymous researcher CoreServices Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation Impact: Processing a maliciously crafted file may lead to unexpected app termination Description: The issue was addressed with improved checks. CVE-2026-28936: Andreas Jaegersberger & Ro Achterberg of Nosebeard Labs FileProvider Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation Impact: An app may be able to access sensitive user data Description: A race condition was addressed with additional validation. CVE-2026-43659: Alex Radocea GeoServices Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation Impact: An app may be able to access sensitive user data Description: An information leakage was addressed with additional validation. CVE-2026-28870: XiguaSec ImageIO Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation Impact: Processing a maliciously crafted file may lead to unexpected app termination Description: The issue was addressed with improved bounds checks. CVE-2026-28977: Suresh Sundaram IOHIDFamily Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation Impact: An attacker may be able to cause unexpected app termination Description: A memory corruption vulnerability was addressed with improved locking. CVE-2026-28992: Johnny Franks (@zeroxjf) IOHIDFamily Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation Impact: An app may be able to determine kernel memory layout Description: A logging issue was addressed with improved data redaction. CVE-2026-28943: Google Threat Analysis Group IOKit Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation Impact: An app may be able to cause unexpected system termination Description: A use after free issue was addressed with improved memory management. CVE-2026-28969: Mihalis Haatainen, Ari Hawking, Ashish Kunwar Kernel Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation Impact: An app may be able to disclose kernel memory Description: The issue was addressed with improved memory handling. CVE-2026-43654: Vaagn Vardanian, Nathaniel Oh (@calysteon) Kernel Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation Impact: A maliciously crafted disk image may bypass Gatekeeper checks Description: A file quarantine bypass was addressed with additional checks. CVE-2026-28954: Yiğit Can YILMAZ (@yilmazcanyigit) Kernel Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation Impact: A local user may be able to cause unexpected system termination or read kernel memory Description: A buffer overflow was addressed with improved input validation. CVE-2026-28897: Robert Tran, popku1337, Billy Jheng Bing Jhong and Pan Zhenpeng (@Peterpan0927) of STAR Labs SG Pte. Ltd., Aswin kumar Gokulakannan Kernel Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation Impact: An app may be able to cause unexpected system termination Description: An integer overflow was addressed with improved input validation. CVE-2026-28952: Calif.io in collaboration with Claude and Anthropic Research Kernel Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation Impact: An app may be able to gain root privileges Description: An authorization issue was addressed with improved state management. CVE-2026-28951: Csaba Fitzl (@theevilbit) of Iru Kernel Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation Impact: An app may be able to cause unexpected system termination or write kernel memory Description: An out-of-bounds write issue was addressed with improved input validation. CVE-2026-28972: Billy Jheng Bing Jhong and Pan Zhenpeng (@Peterpan0927) of STAR Labs SG Pte. Ltd., Ryan Hileman via Xint Code (xint.io) Kernel Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation Impact: An app may be able to cause unexpected system termination Description: A race condition was addressed with additional validation. CVE-2026-28986: Tristan Madani (@TristanInSec) from Talence Security, Ryan Hileman via Xint Code (xint.io), Chris Betz Kernel Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation Impact: An app may be able to leak sensitive kernel state Description: A logging issue was addressed with improved data redaction. CVE-2026-28987: Dhiyanesh Selvaraj (@redroot97) LaunchServices Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation Impact: A remote attacker may be able to cause a denial of service Description: A type confusion issue was addressed with improved checks. CVE-2026-28983: Ruslan Dautov libxpc Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation Impact: An app may be able to enumerate a user's installed apps Description: This issue was addressed with improved checks. CVE-2026-28882: Ilya Andr (andrd3v), Ilias Morad (A2nkF) of Voynich Group, Duy Trần (@khanhduytran0), @hugeBlack Mail Drafts Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation Impact: Replying to an email could display remote images in Mail in Lockdown Mode Description: A logic issue was addressed with improved checks. CVE-2026-28929: Yiğit Can YILMAZ (@yilmazcanyigit) mDNSResponder Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation Impact: An attacker on the local network may be able to cause a denial-of-service Description: The issue was addressed with improved memory handling. CVE-2026-43653: Atul R V mDNSResponder Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation Impact: A remote attacker may be able to cause unexpected system termination or corrupt kernel memory Description: A use after free issue was addressed with improved memory management. CVE-2026-43668: Ricardo Prado, Anton Pakhunov mDNSResponder Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation Impact: An attacker on the local network may be able to cause a denial-of-service Description: An out-of-bounds write issue was addressed with improved bounds checking. CVE-2026-43666: Ian van der Wurff (ian.nl) Model I/O Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation Impact: Processing a maliciously crafted image may corrupt process memory Description: The issue was addressed with improved memory handling. CVE-2026-28940: Michael DePlante (@izobashi) of TrendAI Zero Day Initiative Model I/O Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation Impact: Processing a maliciously crafted file may lead to a denial-of-service or potentially disclose memory contents Description: The issue was addressed with improved checks. CVE-2026-28941: Michael DePlante (@izobashi) of TrendAI Zero Day Initiative Networking Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation Impact: An attacker may be able to track users through their IP address Description: This issue was addressed through improved state management. CVE-2026-28906: Ilya Sc. Jowell A. Privacy Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation Impact: An app may be able to circumvent App Privacy Report logging Description: This issue was addressed with additional entitlement checks. CVE-2026-28873: Guy Dor Quick Look Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation Impact: Parsing a maliciously crafted file may lead to an unexpected app termination Description: An out-of-bounds write issue was addressed with improved input validation. CVE-2026-43656: Peter Malone SceneKit Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation Impact: A remote attacker may be able to cause unexpected app termination Description: A buffer overflow was addressed with improved bounds checking. CVE-2026-28846: Peter Malone Shortcuts Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation Impact: An app may be able to access user-sensitive data Description: This issue was addressed by adding an additional prompt for user consent. CVE-2026-28993: Doron Assness Status Bar Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation Impact: An app may be able to capture a user's screen Description: An issue with app access to camera metadata was addressed with improved logic. CVE-2026-28957: Adriatik Raci WebKit Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation Impact: Processing maliciously crafted web content may prevent Content Security Policy from being enforced Description: The issue was addressed with improved input validation. WebKit Bugzilla: 308675 CVE-2026-28907: Cantina WebKit Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation Impact: Processing maliciously crafted web content may prevent Content Security Policy from being enforced Description: A validation issue was addressed with improved logic. WebKit Bugzilla: 308906 CVE-2026-43660: Cantina WebKit Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation Impact: Processing maliciously crafted web content may lead to an unexpected process crash Description: The issue was addressed with improved memory handling. WebKit Bugzilla: 308707 CVE-2026-28847: DARKNAVY (@DarkNavyOrg), Daniel Rhea, Anonymous working with TrendAI Zero Day Initiative WebKit Bugzilla: 309601 CVE-2026-28904: Luka Rački WebKit Bugzilla: 310303 CVE-2026-28903: Mateusz Krzywicki (iVerify.io) WebKit Bugzilla: 310880 CVE-2026-28955: wac and Kookhwan Lee working with TrendAI Zero Day Initiative WebKit Bugzilla: 309628 CVE-2026-28953: Maher Azzouzi WebKit Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation Impact: Processing maliciously crafted web content may disclose sensitive user information Description: This issue was addressed with improved access restrictions. WebKit Bugzilla: 309698 CVE-2026-28962: Vitaly Simonovich, Vaagn Vardanian, Luke Francis, kwak kiyong / kakaogames, greenbynox, Adel Bouachraoui WebKit Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation Impact: Processing maliciously crafted web content may lead to an unexpected process crash Description: The issue was addressed with improved input validation. WebKit Bugzilla: 310527 CVE-2026-28917: Vitaly Simonovich Wi-Fi Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation Impact: An app may be able to execute arbitrary code with kernel privileges Description: An out-of-bounds write issue was addressed with improved bounds checking. CVE-2026-28819: Wang Yu Wi-Fi Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation Impact: An attacker in a privileged network position may be able to perform denial-of-service attack using crafted Wi-Fi packets Description: A use after free issue was addressed with improved memory management. CVE-2026-28994: Alex Radocea zlib Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation Impact: Visiting a maliciously crafted website may leak sensitive data Description: An information leakage was addressed with additional validation. CVE-2026-28920: Brendon Tiszka of Google Project Zero Additional recognition Kernel We would like to acknowledge Ryan Hileman via Xint Code (xint.io) for their assistance. Location We would like to acknowledge Kun Peeks (@SwayZGl1tZyyy) for their assistance. Managed Configuration We would like to acknowledge kado for their assistance. Messages We would like to acknowledge Bishal Kafle for their assistance. Multi-Touch We would like to acknowledge Asaf Cohen for their assistance. This update is available through iTunes and Software Update on your iOS device, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an Internet connection and have installed the latest version of iTunes from https://www.apple.com/itunes/ iTunes and Software Update on the device will automatically check Apple's update server on its weekly schedule. When an update is detected, it is downloaded and the option to be installed is presented to the user when the iOS device is docked. We recommend applying the update immediately if possible. Selecting Don't Install will present the option the next time you connect your iOS device. The automatic update process may take up to a week depending on the day that iTunes or the device checks for updates. You may manually obtain the update via the Check for Updates button within iTunes, or the Software Update on your device. To check that the iPhone, iPod touch, or iPad has been updated: * Navigate to Settings * Select General * Select About. The version after applying this update will be "iOS 18.7.9 and iPadOS 18.7.9". All information is also posted on the Apple Security Releases web site: https://support.apple.com/100100. - --------------------------END INCLUDED TEXT---------------------- You have received this e-mail bulletin as a result of your organisation's registration with AUSCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AUSCERT's members. As AUSCERT did not write the document quoted above, AUSCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AUSCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://portal.auscert.org.au/bulletins/ =========================================================================== AUSCERT The University of Queensland, Brisbane QLD 4072 Australia e: auscert@auscert.org.au t: +61 (0)7 3365 4417 Allies in Cyber Security ===========================================================================
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apple | Apple iOS |
Timeline
- May 12, 2026 CVE Published