SB2026051215 - Multiple vulnerabilities in Apple iOS 26 and iPadOS 26
Published: May 12, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 61 vulnerabilities.
1) Out-of-bounds write (CVE-ID: CVE-2026-43656)
The vulnerability allows a local application to perform a denial of service (DoS) attack.
The vulnerability exists due to an out-of-bounds write in Quick Look. A local application can trick the victim into opening a specially crafted file and perform an unexpected app termination.
2) Memory corruption (CVE-ID: CVE-2026-28904)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in WebKit. A remote attacker can trick the victim into opening a specially crafted website and perform an unexpected process crash.
3) Memory corruption (CVE-ID: CVE-2026-28846)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in SceneKit. A remote attacker can trick the victim into opening a specially crafted file and cause unexpected app termination.
4) Memory corruption (CVE-ID: CVE-2026-28991)
The vulnerability allows a local application to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in Accelerate. A local application can cause a denial-of-service.
5) Improper access control (CVE-ID: CVE-2026-28993)
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to improper access control in shortcuts when handling local application access. A local user can access the vulnerable component to disclose sensitive information.
6) Improper access control (CVE-ID: CVE-2026-28974)
The vulnerability allows a local application to perform a denial of service (DoS) attack.
The vulnerability exists due to improper access restrictions in Spotlight. A local application can cause a denial-of-service.
7) Protection Mechanism Failure (CVE-ID: CVE-2026-28957)
The vulnerability allows a local application to capture user's screen.
The vulnerability exists due to insufficient implementation of app access to camera metadata in Status Bar. A local application capture user's screen.
8) Improper access control (CVE-ID: CVE-2026-28996)
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to improper access control in Storage when handling local application access. A local user can access sensitive information to disclose sensitive information.
9) Protection Mechanism Failure (CVE-ID: CVE-2026-43660)
The vulnerability allows a remote attacker to prevent CSP enforcement.
The vulnerability exists due to insufficient implementation of security measures in WebKit. A remote attacker can trick the victim into visiting a specially crafted website and prevent Content Security Policy from being enforced.
10) Protection Mechanism Failure (CVE-ID: CVE-2026-28907)
The vulnerability allows a remote attacker to prevent CSP enforcement.
The vulnerability exists due to insufficient implementation of security measures in WebKit. A remote attacker can trick the victim into visiting a specially crafted website and prevent Content Security Policy from being enforced.
11) Improper access control (CVE-ID: CVE-2026-28962)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to improper access restrictions in WebKit when rendering content. A remote attacker can trick the victim into visiting a specially crafted website and gain access to sensitive information.
12) Memory corruption (CVE-ID: CVE-2026-43658)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in WebKit. A remote attacker can trick the victim into opening a specially crafted website and perform an unexpected Safari crash.
13) Memory corruption (CVE-ID: CVE-2026-28905)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in WebKit. A remote attacker can trick the victim into opening a specially crafted website and perform an unexpected process crash.
14) Memory corruption (CVE-ID: CVE-2026-28847)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in WebKit. A remote attacker can trick the victim into opening a specially crafted website and perform an unexpected process crash.
15) Memory corruption (CVE-ID: CVE-2026-28955)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in WebKit. A remote attacker can trick the victim into opening a specially crafted website and perform an unexpected process crash.
16) Out-of-bounds read (CVE-ID: CVE-2026-28920)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition in zlib. A remote attacker can trick the victim into visiting a specially crafted website, trigger an out-of-bounds read error and read contents of memory on the system.
17) Memory corruption (CVE-ID: CVE-2026-28903)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in WebKit. A remote attacker can trick the victim into opening a specially crafted website and perform an unexpected process crash.
18) Memory corruption (CVE-ID: CVE-2026-28953)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in WebKit. A remote attacker can trick the victim into opening a specially crafted website and perform an unexpected process crash.
19) Memory corruption (CVE-ID: CVE-2026-28902)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in WebKit. A remote attacker can trick the victim into opening a specially crafted website and perform an unexpected process crash.
20) Memory corruption (CVE-ID: CVE-2026-28901)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in WebKit. A remote attacker can trick the victim into opening a specially crafted website and perform an unexpected process crash.
21) Memory corruption (CVE-ID: CVE-2026-28913)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in WebKit. A remote attacker can trick the victim into opening a specially crafted website and perform an unexpected process crash.
22) Use after free (CVE-ID: CVE-2026-28883)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a use-after-free error in WebKit. A remote attacker can trick the victim into opening a specially crafted website and perform an unexpected process crash.
23) Exposure of sensitive information to an unauthorized actor (CVE-ID: CVE-2026-28958)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to excessive data output in WebKit. A local application can access sensitive user data.
24) Improper input validation (CVE-ID: CVE-2026-28917)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient input validation in WebKit. A remote attacker can trick the victim into opening a specially crafted website and perform an unexpected process crash.
25) Use after free (CVE-ID: CVE-2026-28947)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a use-after-free error in WebKit. A remote attacker can trick the victim into opening a specially crafted website and perform an unexpected Safari crash.
26) Use after free (CVE-ID: CVE-2026-28942)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a use-after-free error in WebKit. A remote attacker can trick the victim into opening a specially crafted website and perform an unexpected Safari crash.
27) Protection Mechanism Failure (CVE-ID: CVE-2026-28971)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to insufficient implementation of security measures. A malicious iframe may use another website’s download settings, which can lead to browser's UI spoofing.
28) Memory corruption (CVE-ID: CVE-2026-28944)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in WebRTC. A remote attacker can trick the victim into opening a specially crafted file and perform an unexpected process crash.
29) State Issues (CVE-ID: CVE-2026-28906)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to a state issue in Networking. A remote attacker can track users through their IP address.
30) Memory corruption (CVE-ID: CVE-2026-28940)
The vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due to a boundary error in Model I/O. A remote attacker can trick the victim into opening a specially crafted file and escalate privileges on the system.
31) Out-of-bounds write (CVE-ID: CVE-2026-43666)
The vulnerability allows a remote attacker on the local network to perform a denial of service (DoS) attack.
The vulnerability exists due to an out-of-bounds write in mDNSResponder. A remote attacker on the local network can cause a denial-of-service.
32) Memory corruption (CVE-ID: CVE-2026-28990)
The vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due to a boundary error in ImageIO. A remote attacker can trick the victim into opening a specially crafted file and escalate privileges on the system.
33) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2026-28988)
The vulnerability allows a local application to bypass implemented security restrictions.
The vulnerability exists due to improperly imposed permissions in Accounts. A local application can bypass certain Privacy preferences.
34) Memory corruption (CVE-ID: CVE-2026-28959)
The vulnerability allows a local application to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in APFS. A local application can cause unexpected system termination.
35) Improper access control (CVE-ID: CVE-2026-28995)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to improper access restrictions in App Intents. A local application can break out of its sandbox.
36) Improper input validation (CVE-ID: CVE-2026-1837)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in AppleJPEG when parsing input. A remote attacker can send a specially crafted input to cause a denial of service.
37) Improper input validation (CVE-ID: CVE-2026-28956)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to insufficient input validation in AppleJPEG. A local application can trick the victim into opening a specially crafted file and perform unexpected app termination or corrupt process memory.
38) Memory corruption (CVE-ID: CVE-2026-39869)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in Audio. A remote attacker can trick the victim into opening a specially crafted file and perform a denial of service (DoS) attack.
39) Improper access control (CVE-ID: CVE-2026-28936)
The vulnerability allows a local application to perform a denial of service (DoS) attack.
The vulnerability exists due to improper access restrictions in CoreServices. A local application can trick the victim into opening a specially crafted file and perform unexpected app termination.
40) Memory corruption (CVE-ID: CVE-2026-28918)
The vulnerability allows a local application to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in CoreSymbolication. A local application can trick the victim into opening a specially crafted file and perform an unexpected app termination.
41) Improper access control (CVE-ID: CVE-2026-43659)
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to improper access control in FileProvider when handling file provider operations. A local user can access sensitive information to disclose sensitive information.
42) Memory corruption (CVE-ID: CVE-2026-43661)
The vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due to a boundary error in ImageIO. A remote attacker can trick the victim into opening a specially crafted file and escalate privileges on the system.
43) Memory corruption (CVE-ID: CVE-2026-28977)
The vulnerability allows a local application to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in ImageIO. A local application can trick the victim into opening a specially crafted file and perform unexpected app termination.
44) Improper input validation (CVE-ID: CVE-2026-28992)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in IOHIDFamily when processing user-supplied input. A local user can send specially crafted input to cause a denial of service.
45) Use after free (CVE-ID: CVE-2026-43668)
The vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due to a use-after-free error in mDNSResponder. A remote attacker can trick the victim into opening a specially crafted file and cause unexpected system termination or corrupt kernel memory.
46) Improper input validation (CVE-ID: CVE-2026-28943)
47) Use after free (CVE-ID: CVE-2026-28969)
The vulnerability allows a local application to perform a denial of service (DoS) attack.
The vulnerability exists due to a use-after-free error in IOKit. A local application can cause unexpected system termination.
48) Memory corruption (CVE-ID: CVE-2026-43655)
The vulnerability allows a local application to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in IOSurfaceAccelerator. A local application can cause unexpected system termination or read kernel memory.
49) Memory corruption (CVE-ID: CVE-2026-43654)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to a boundary error in Kernel. A local application can disclose kernel memory.
50) Improper input validation (CVE-ID: CVE-2026-28897)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient input validation in Kernel. A local user can cause unexpected system termination or read kernel memory.
51) State issues (CVE-ID: CVE-2026-28951)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to a state management issue in Kernel. A local application can gain root privileges.
52) Out-of-bounds write (CVE-ID: CVE-2026-28972)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to an out-of-bounds write in Kernel. A local application can cause unexpected system termination or write kernel memory.
53) Improper access control (CVE-ID: CVE-2026-28986)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper access control in kernel when handling a local application. A local user can run a local application to cause a denial of service.
54) Improper input validation (CVE-ID: CVE-2026-28987)
55) Improper access control (CVE-ID: CVE-2026-28983)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper access restrictions in LaunchServices. A remote attacker can trick the victim into opening a specially crafted file and cause a denial of service.
56) Memory corruption (CVE-ID: CVE-2026-43653)
The vulnerability allows a remote attacker on the local network to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in mDNSResponder. A remote attacker on the local network can cause a denial-of-service.
57) Improper input validation (CVE-ID: CVE-2026-28985)
The vulnerability allows a remote attacker on the local network to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient input validation in mDNSResponder. A remote attacker on the local network can cause a denial-of-service.
58) Use-after-free (CVE-ID: CVE-2026-28994)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to use-after-free in Wi-Fi when handling wireless network traffic. A remote attacker can send specially crafted wireless traffic to cause a denial of service.
59) Multiple Interpretations of UI Input (CVE-ID: CVE-2026-28964)
The vulnerability allows a malicious application to gain access to sensitive information.
The vulnerability exists due to an inconsistent user interface issue in CoreAnimation. A local application can gain access to sensitive information.
60) Information disclosure (CVE-ID: CVE-2026-28963)
The vulnerability allows an attacker to gain access to sensitive information.
The vulnerability exists due to a privacy issue in Screenshots. An attacker with physical access to device can use Visual Intelligence to access sensitive user data during iPhone Mirroring.
61) Information disclosure (CVE-ID: CVE-2026-28965)
The vulnerability allows an attacker to gain access to sensitive information.
The vulnerability exists due to an error in WidgetKit. An attacker with physical access to device can view restricted content from the lock screen.
Remediation
Install update from vendor's website.