Recent bundles
Unauthenticated Remote Code Execution in Samba printing subsystem
2026-05-31T14:00:10+0000 by Alexandre Dulaunoy=========================================================== == Subject: Unauthenticated Remote Code Execution == in Samba printing subsystem == == CVE ID#: CVE-2026-4480 == == Versions: All versions == == Summary: Samba print servers with a "print command" == that has the %J substitution character == are vulnerable to a Remote Code Execution ===========================================================
=========== Description ===========
Samba passes the client-controlled job description string to the command configured with the "print command" setting via the "%J" substitution character without escaping shell meta characters. This leads to a remote code execution vulnerability.
Print servers configured with "printing = cups" or "printing = iprint", and print servers that do not have the %J substitution character in the "print command" setting are not affected.
The problem is much less dangerous if %J has singles quotes directly around it, e.g. '%J', but it's still possible to inject command line options.
By default, print servers allow guest users to print.
================== Patch Availability ==================
Patches addressing this issue have been posted to:
https://www.samba.org/samba/security/
Additionally, Samba $VERSIONS have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible.
================== CVSSv3 calculation ==================
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H 10.0
========== Workaround ==========
Adding single quotes (directly!) around %J (=> '%J') makes it much less likely an attacker can do something useful. Note using double quotes may not be enough.
If unsure remove %J completely from the "print command" smb.conf entry.
======= Credits =======
Originally reported by: - Ron Ben Yizhak with SafeBreach - John Walker with ZeroPath - Arjun Basnet with Securin Labs
Patches provided by: - Stefan Metzmacher of Sernet and the Samba team. - Douglas Bagnall of Catalyst and the Samba team.
This advisory by Volker Lendecke and Stefan Metzmacher of Sernet and the Samba team.
========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ==========================================================
Related vulnerabilities: CVE-2026-4480
Debian - [SECURITY] [DSA 6297-1] samba security update
2026-05-26T14:33:00+0000 by Alexandre DulaunoyPackage : samba CVE ID : CVE-2026-1933 CVE-2026-2340 CVE-2026-3012 CVE-2026-3238 CVE-2026-4408 CVE-2026-4480
Several vulnerabilities have been discovered in Samba, a SMB/CIFS file, print, and login server for Unix, which might result in bypass of access checks, overwrite of files in unintended situations using the WORM vfs module, installing CA certificates over http without verification when auto-enrollment GPO is enabled, denial of service or remote code execution.
For the oldstable distribution (bookworm), these problems have been fixed in version 2:4.17.12+dfsg-0+deb12u4.
For the stable distribution (trixie), these problems have been fixed in version 2:4.22.8+dfsg-0+deb13u2.
We recommend that you upgrade your samba packages.
For the detailed security status of samba please refer to its security tracker page at: https://security-tracker.debian.org/tracker/samba
Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
Related vulnerabilities: CVE-2026-1933CVE-2026-2340CVE-2026-4480CVE-2026-4408CVE-2026-3238CVE-2026-3012
About the security content of iOS 26.5 and iPadOS 26.5 - Apple Support
For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security releases page.
Apple security documents reference vulnerabilities by CVE-ID when possible.
For more information about security, see the Apple Product Security page.
Released May 11, 2026
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: An app may be able to cause a denial-of-service
Description: An out-of-bounds read was addressed with improved bounds checking.
CVE-2026-28991: Seiji Sakurai (@HeapSmasher)
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: An app may be able to bypass certain Privacy preferences
Description: A permissions issue was addressed with additional restrictions.
CVE-2026-28988: Asaf Cohen
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: An app may be able to cause unexpected system termination
Description: A buffer overflow was addressed with improved bounds checking.
CVE-2026-28959: Dave G.
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: A malicious app may be able to break out of its sandbox
Description: A logic issue was addressed with improved restrictions.
CVE-2026-28995: Vamshi Paili, Tony Gorez (@tonygo_) for Reverse Society
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: Processing a maliciously crafted image may lead to a denial-of-service
Description: This is a vulnerability in open source code and Apple Software is among the affected projects. The CVE-ID was assigned by a third party. Learn more about the issue and CVE-ID at cve.org.
CVE-2026-1837
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: Processing a maliciously crafted media file may lead to unexpected app termination or corrupt process memory
Description: A memory corruption issue was addressed with improved input validation.
CVE-2026-28956: impost0r (ret2plt)
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: Processing an audio stream in a maliciously crafted media file may terminate the process
Description: The issue was addressed with improved memory handling.
CVE-2026-39869: David Ige of Beryllium Security
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: An app may be able to access sensitive user data
Description: An inconsistent user interface issue was addressed with improved state management.
CVE-2026-28964: Alan Wang, Christopher W. Fletcher, Hovav Shacham, David Kohlbrenner, Riccardo Paccagnella
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: Processing a maliciously crafted file may lead to unexpected app termination
Description: The issue was addressed with improved checks.
CVE-2026-28936: Andreas Jaegersberger & Ro Achterberg of Nosebeard Labs
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: Parsing a maliciously crafted file may lead to an unexpected app termination
Description: An out-of-bounds access issue was addressed with improved bounds checking.
CVE-2026-28918: Niels Hofmans, Anonymous working with TrendAI Zero Day Initiative
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: An app may be able to access sensitive user data
Description: A race condition was addressed with additional validation.
CVE-2026-43659: Alex Radocea
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: Processing a maliciously crafted image may corrupt process memory
Description: A buffer overflow issue was addressed with improved memory handling.
CVE-2026-43661: an anonymous researcher
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: Processing a maliciously crafted file may lead to unexpected app termination
Description: The issue was addressed with improved bounds checks.
CVE-2026-28977: Suresh Sundaram
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: Processing a maliciously crafted image may corrupt process memory
Description: The issue was addressed with improved memory handling.
CVE-2026-28990: Jiri Ha, Arni Hardarson
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: An attacker may be able to cause unexpected app termination
Description: A memory corruption vulnerability was addressed with improved locking.
CVE-2026-28992: Johnny Franks (@zeroxjf)
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: An app may be able to determine kernel memory layout
Description: A logging issue was addressed with improved data redaction.
CVE-2026-28943: Google Threat Analysis Group
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: An app may be able to cause unexpected system termination
Description: A use after free issue was addressed with improved memory management.
CVE-2026-28969: Mihalis Haatainen, Ari Hawking, Ashish Kunwar
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: An app may be able to cause unexpected system termination or read kernel memory
Description: An out-of-bounds read was addressed with improved bounds checking.
CVE-2026-43655: Somair Ansar and an anonymous researcher
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: An app may be able to disclose kernel memory
Description: The issue was addressed with improved memory handling.
CVE-2026-43654: Vaagn Vardanian, Nathaniel Oh (@calysteon)
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: A local user may be able to cause unexpected system termination or read kernel memory
Description: A buffer overflow was addressed with improved input validation.
CVE-2026-28897: popku1337, Billy Jheng Bing Jhong and Pan Zhenpeng (@Peterpan0927) of STAR Labs SG Pte. Ltd., Robert Tran, Aswin kumar Gokulakannan
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: An app may be able to gain root privileges
Description: An authorization issue was addressed with improved state management.
CVE-2026-28951: Csaba Fitzl (@theevilbit) of Iru
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: An app may be able to cause unexpected system termination or write kernel memory
Description: An out-of-bounds write issue was addressed with improved input validation.
CVE-2026-28972: Billy Jheng Bing Jhong and Pan Zhenpeng (@Peterpan0927) of STAR Labs SG Pte. Ltd., Ryan Hileman via Xint Code (xint.io)
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: An app may be able to cause unexpected system termination
Description: A race condition was addressed with additional validation.
CVE-2026-28986: Chris Betz, Tristan Madani (@TristanInSec) from Talence Security, Ryan Hileman via Xint Code (xint.io)
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: An app may be able to leak sensitive kernel state
Description: A logging issue was addressed with improved data redaction.
CVE-2026-28987: Dhiyanesh Selvaraj (@redroot97)
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: A remote attacker may be able to cause a denial of service
Description: A type confusion issue was addressed with improved checks.
CVE-2026-28983: Ruslan Dautov
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: An attacker on the local network may be able to cause a denial-of-service
Description: The issue was addressed with improved memory handling.
CVE-2026-43653: Atul R V
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: An attacker on the local network may be able to cause a denial-of-service
Description: A null pointer dereference was addressed with improved input validation.
CVE-2026-28985: Omar Cerrito
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: A remote attacker may be able to cause unexpected system termination or corrupt kernel memory
Description: A use after free issue was addressed with improved memory management.
CVE-2026-43668: Anton Pakhunov, Ricardo Prado
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: An attacker on the local network may be able to cause a denial-of-service
Description: An out-of-bounds write issue was addressed with improved bounds checking.
CVE-2026-43666: Ian van der Wurff (ian.nl)
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: Processing a maliciously crafted image may corrupt process memory
Description: The issue was addressed with improved memory handling.
CVE-2026-28940: Michael DePlante (@izobashi) of TrendAI Zero Day Initiative
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: An attacker may be able to track users through their IP address
Description: This issue was addressed through improved state management.
CVE-2026-28906: Ilya Sc. Jowell A.
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: Parsing a maliciously crafted file may lead to an unexpected app termination
Description: An out-of-bounds write issue was addressed with improved input validation.
CVE-2026-43656: Peter Malone
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: A remote attacker may be able to cause unexpected app termination
Description: A buffer overflow was addressed with improved bounds checking.
CVE-2026-28846: Peter Malone
Available for: iPhone 15 and later
Impact: An attacker with physical access may be able to use Visual Intelligence to access sensitive user data during iPhone Mirroring
Description: A privacy issue was addressed by removing the vulnerable code.
CVE-2026-28963: Jorge Welch
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: An app may be able to access user-sensitive data
Description: This issue was addressed by adding an additional prompt for user consent.
CVE-2026-28993: Doron Assness
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: An app may be able to cause a denial-of-service
Description: This issue was addressed with improved checks to prevent unauthorized actions.
CVE-2026-28974: Andy Koo (@andykoo) of Hexens
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: An app may be able to capture a user's screen
Description: An issue with app access to camera metadata was addressed with improved logic.
CVE-2026-28957: Adriatik Raci
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: An app may be able to access sensitive user data
Description: A race condition was addressed with additional validation.
CVE-2026-28996: Alex Radocea
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: Processing maliciously crafted web content may prevent Content Security Policy from being enforced
Description: A validation issue was addressed with improved logic.
WebKit Bugzilla: 308906
CVE-2026-43660: Cantina
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: Processing maliciously crafted web content may prevent Content Security Policy from being enforced
Description: The issue was addressed with improved input validation.
WebKit Bugzilla: 308675
CVE-2026-28907: Cantina
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: Processing maliciously crafted web content may disclose sensitive user information
Description: This issue was addressed with improved access restrictions.
WebKit Bugzilla: 309698
CVE-2026-28962: Luke Francis, Vaagn Vardanian, kwak kiyong / kakaogames, Vitaly Simonovich, Adel Bouachraoui, greenbynox
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: Processing maliciously crafted web content may lead to an unexpected Safari crash
Description: The issue was addressed with improved memory handling.
WebKit Bugzilla: 307669
CVE-2026-43658: Do Young Park
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: Processing maliciously crafted web content may lead to an unexpected process crash
Description: The issue was addressed with improved memory handling.
WebKit Bugzilla: 308545
CVE-2026-28905: Yuhao Hu, Yuanming Lai, Chenggang Wu, and Zhe Wang
WebKit Bugzilla: 308707
CVE-2026-28847: DARKNAVY (@DarkNavyOrg), Anonymous working with TrendAI Zero Day Initiative, Daniel Rhea
WebKit Bugzilla: 309601
CVE-2026-28904: Luka Rački
WebKit Bugzilla: 310880
CVE-2026-28955: wac and Kookhwan Lee working with TrendAI Zero Day Initiative
WebKit Bugzilla: 310303
CVE-2026-28903: Mateusz Krzywicki (iVerify.io)
WebKit Bugzilla: 309628
CVE-2026-28953: Maher Azzouzi
WebKit Bugzilla: 309861
CVE-2026-28902: Tristan Madani (@TristanInSec) from Talence Security, Nathaniel Oh (@calysteon)
WebKit Bugzilla: 310207
CVE-2026-28901: Aisle offensive security research team (Joshua Rogers, Luigino Camastra, Igor Morgenstern, and Guido Vranken), Maher Azzouzi, Ngan Nguyen of Calif.io
WebKit Bugzilla: 311631
CVE-2026-28913: an anonymous researcher
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: Processing maliciously crafted web content may lead to an unexpected process crash
Description: A use-after-free issue was addressed with improved memory management.
WebKit Bugzilla: 313939
CVE-2026-28883: kwak kiyong / kakaogames
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: An app may be able to access sensitive user data
Description: This issue was addressed with improved data protection.
WebKit Bugzilla: 311228
CVE-2026-28958: Cantina
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: Processing maliciously crafted web content may lead to an unexpected process crash
Description: The issue was addressed with improved input validation.
WebKit Bugzilla: 310527
CVE-2026-28917: Vitaly Simonovich
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: Processing maliciously crafted web content may lead to an unexpected Safari crash
Description: A use-after-free issue was addressed with improved memory management.
WebKit Bugzilla: 310234
CVE-2026-28947: dr3dd
WebKit Bugzilla: 312180
CVE-2026-28942: Milad Nasr and Nicholas Carlini with Claude, Anthropic
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: A malicious iframe may use another website’s download settings
Description: The issue was addressed with improved UI handling.
WebKit Bugzilla: 311288
CVE-2026-28971: Khiem Tran
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: Processing maliciously crafted web content may lead to an unexpected process crash
Description: The issue was addressed with improved memory handling.
WebKit Bugzilla: 311131
CVE-2026-28944: Kenneth Hsu of Palo Alto Networks, Jérôme DJOUDER, dr3dd
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: An attacker in a privileged network position may be able to perform denial-of-service attack using crafted Wi-Fi packets
Description: A use after free issue was addressed with improved memory management.
CVE-2026-28994: Alex Radocea
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: A user may be able to view restricted content from the lock screen
Description: A privacy issue was addressed with improved checks.
CVE-2026-28965: Abhay Kailasia (@abhay_kailasia) from Safran Mumbai India
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: Visiting a maliciously crafted website may leak sensitive data
Description: An information leakage was addressed with additional validation.
CVE-2026-28920: Brendon Tiszka of Google Project Zero
We would like to acknowledge Mikael Kinnman for their assistance.
We would like to acknowledge Iván Savransky, YingQi Shi (@Mas0nShi) of DBAppSecurity's WeBin lab for their assistance.
We would like to acknowledge Brian Carpenter for their assistance.
We would like to acknowledge Gongyu Ma (@Mezone0) for their assistance.
We would like to acknowledge Mustafa Calap for their assistance.
We would like to acknowledge an anonymous researcher for their assistance.
We would like to acknowledge Ryan Hileman via Xint Code (xint.io), Suresh Sundaram, an anonymous researcher for their assistance.
We would like to acknowledge Chris Staite and David Hardy of Menlo Security Inc for their assistance.
We would like to acknowledge Ilias Morad (@A2nkF_) for their assistance.
We would like to acknowledge Kun Peeks (@SwayZGl1tZyyy) for their assistance.
We would like to acknowledge Himanshu Bharti (@Xpl0itme) From Khatima for their assistance.
We would like to acknowledge Jason Grove for their assistance.
We would like to acknowledge Bishal Kafle, Jeffery Kimbrow for their assistance.
We would like to acknowledge Asaf Cohen for their assistance.
We would like to acknowledge Asilbek Salimov, Mohamed Althaf for their assistance.
We would like to acknowledge Abhay Kailasia (@abhay_kailasia) from Safran Mumbai India, Christopher Mathews for their assistance.
We would like to acknowledge Dalibor Milanovic for their assistance.
We would like to acknowledge Jacob Prezant (prezant.us) for their assistance.
We would like to acknowledge Yoav Magid for their assistance.
We would like to acknowledge Shaheen Fazim for their assistance.
We would like to acknowledge Muhammad Zaid Ghifari (Mr.ZheeV), Kalimantan Utara, Qadhafy Muhammad Tera, Vitaly Simonovich for their assistance.
We would like to acknowledge Hyeonji Son (@jir4vv1t) of Demon Team for their assistance.
We would like to acknowledge Yusuf Kelany for their assistance.
Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.
Published Date: May 11, 2026
Related vulnerabilities: CVE-2026-43654CVE-2026-28897CVE-2026-28963CVE-2026-28955CVE-2026-28958CVE-2026-28971CVE-2026-28972CVE-2026-28995CVE-2026-28996CVE-2026-28903CVE-2026-28913CVE-2026-43655CVE-2026-43666CVE-2026-28918CVE-2026-28969CVE-2026-28991CVE-2026-28936CVE-2026-28987CVE-2026-28906CVE-2026-28957CVE-2026-39869CVE-2026-28846CVE-2026-28964CVE-2026-28953CVE-2026-28905CVE-2026-1837CVE-2026-28951CVE-2026-28904CVE-2026-28977CVE-2026-28883CVE-2026-28965CVE-2026-28959CVE-2026-28847CVE-2026-28985CVE-2026-28902CVE-2026-28917CVE-2026-28993CVE-2026-28942CVE-2026-28983CVE-2026-43660CVE-2026-43668CVE-2026-28907CVE-2026-28988CVE-2026-28990CVE-2026-28956CVE-2026-43653CVE-2026-43658CVE-2026-28986CVE-2026-28940CVE-2026-28920CVE-2026-28974CVE-2026-28994CVE-2026-28962CVE-2026-43656CVE-2026-28944CVE-2026-28943CVE-2026-43659CVE-2026-43661CVE-2026-28947CVE-2026-28992CVE-2026-28901
About the security content of macOS Tahoe 26.5 - Apple Support
For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security releases page.
Apple security documents reference vulnerabilities by CVE-ID when possible.
For more information about security, see the Apple Product Security page.
Released May 11, 2026
Available for: macOS Tahoe
Impact: An app may be able to cause a denial-of-service
Description: An out-of-bounds read was addressed with improved bounds checking.
CVE-2026-28991: Seiji Sakurai (@HeapSmasher)
Available for: macOS Tahoe
Impact: An app may be able to bypass certain Privacy preferences
Description: A permissions issue was addressed with additional restrictions.
CVE-2026-28988: Asaf Cohen
Available for: macOS Tahoe
Impact: An app may be able to cause unexpected system termination
Description: A buffer overflow was addressed with improved bounds checking.
CVE-2026-28959: Dave G.
Available for: macOS Tahoe
Impact: A malicious app may be able to break out of its sandbox
Description: A logic issue was addressed with improved restrictions.
CVE-2026-28995: Vamshi Paili, Tony Gorez (@tonygo_) for Reverse Society
Available for: macOS Tahoe
Impact: Processing a maliciously crafted image may lead to a denial-of-service
Description: This is a vulnerability in open source code and Apple Software is among the affected projects. The CVE-ID was assigned by a third party. Learn more about the issue and CVE-ID at cve.org.
CVE-2026-1837
Available for: macOS Tahoe
Impact: Processing a maliciously crafted media file may lead to unexpected app termination or corrupt process memory
Description: A memory corruption issue was addressed with improved input validation.
CVE-2026-28956: impost0r (ret2plt)
Available for: macOS Tahoe
Impact: Processing an audio stream in a maliciously crafted media file may terminate the process
Description: The issue was addressed with improved memory handling.
CVE-2026-39869: David Ige of Beryllium Security
Available for: macOS Tahoe
Impact: An app may be able to access private information
Description: This issue was addressed through improved state management.
CVE-2026-28922: Arni Hardarson
Available for: macOS Tahoe
Impact: Processing a maliciously crafted file may lead to unexpected app termination
Description: The issue was addressed with improved checks.
CVE-2026-28936: Andreas Jaegersberger & Ro Achterberg of Nosebeard Labs
Available for: macOS Tahoe
Impact: Parsing a maliciously crafted file may lead to an unexpected app termination
Description: An out-of-bounds access issue was addressed with improved bounds checking.
CVE-2026-28918: Niels Hofmans, Anonymous working with TrendAI Zero Day Initiative
Available for: macOS Tahoe
Impact: An app may be able to gain root privileges
Description: A parsing issue in the handling of directory paths was addressed with improved path validation.
CVE-2026-28915: Andreas Jaegersberger & Ro Achterberg of Nosebeard Labs
Available for: macOS Tahoe
Impact: An app may be able to access sensitive user data
Description: A race condition was addressed with additional validation.
CVE-2026-43659: Alex Radocea
Available for: macOS Tahoe
Impact: A malicious app may be able to break out of its sandbox
Description: A logging issue was addressed with improved data redaction.
CVE-2026-28923: Kun Peeks (@SwayZGl1tZyyy)
Available for: macOS Tahoe
Impact: An app may be able to cause unexpected system termination or write kernel memory
Description: A buffer overflow was addressed with improved bounds checking.
CVE-2026-28925: Aswin Kumar Gokula Kannan, Dave G.
Available for: macOS Tahoe
Impact: Processing a maliciously crafted image may corrupt process memory
Description: A buffer overflow issue was addressed with improved memory handling.
CVE-2026-43661: an anonymous researcher
Available for: macOS Tahoe
Impact: Processing a maliciously crafted file may lead to unexpected app termination
Description: The issue was addressed with improved bounds checks.
CVE-2026-28977: Suresh Sundaram
Available for: macOS Tahoe
Impact: Processing a maliciously crafted image may corrupt process memory
Description: The issue was addressed with improved memory handling.
CVE-2026-28990: Jiri Ha, Arni Hardarson
Available for: macOS Tahoe
Impact: A malicious app may be able to break out of its sandbox
Description: A permissions issue was addressed with additional restrictions.
CVE-2026-28978: wdszzml and Atuin Automated Vulnerability Discovery Engine
Available for: macOS Tahoe
Impact: An attacker may be able to cause unexpected app termination
Description: A memory corruption vulnerability was addressed with improved locking.
CVE-2026-28992: Johnny Franks (@zeroxjf)
Available for: macOS Tahoe
Impact: An app may be able to determine kernel memory layout
Description: A logging issue was addressed with improved data redaction.
CVE-2026-28943: Google Threat Analysis Group
Available for: macOS Tahoe
Impact: An app may be able to cause unexpected system termination
Description: A use after free issue was addressed with improved memory management.
CVE-2026-28969: Mihalis Haatainen, Ari Hawking, Ashish Kunwar
Available for: macOS Tahoe
Impact: An app may be able to cause unexpected system termination or read kernel memory
Description: An out-of-bounds read was addressed with improved bounds checking.
CVE-2026-43655: Somair Ansar and an anonymous researcher
Available for: macOS Tahoe
Impact: An app may be able to disclose kernel memory
Description: The issue was addressed with improved memory handling.
CVE-2026-43654: Vaagn Vardanian, Nathaniel Oh (@calysteon)
Available for: macOS Tahoe
Impact: An app may be able to modify protected parts of the file system
Description: A denial of service issue was addressed by removing the vulnerable code.
CVE-2026-28908: beist
Available for: macOS Tahoe
Impact: A maliciously crafted disk image may bypass Gatekeeper checks
Description: A file quarantine bypass was addressed with additional checks.
CVE-2026-28954: Yiğit Can YILMAZ (@yilmazcanyigit)
Available for: macOS Tahoe
Impact: A local user may be able to cause unexpected system termination or read kernel memory
Description: A buffer overflow was addressed with improved input validation.
CVE-2026-28897: popku1337, Billy Jheng Bing Jhong and Pan Zhenpeng (@Peterpan0927) of STAR Labs SG Pte. Ltd., Robert Tran, Aswin kumar Gokulakannan
Available for: macOS Tahoe
Impact: An app may be able to cause unexpected system termination
Description: An integer overflow was addressed with improved input validation.
CVE-2026-28952: Calif.io in collaboration with Claude and Anthropic Research
Available for: macOS Tahoe
Impact: An app may be able to gain root privileges
Description: An authorization issue was addressed with improved state management.
CVE-2026-28951: Csaba Fitzl (@theevilbit) of Iru
Available for: macOS Tahoe
Impact: An app may be able to cause unexpected system termination or write kernel memory
Description: An out-of-bounds write issue was addressed with improved input validation.
CVE-2026-28972: Billy Jheng Bing Jhong and Pan Zhenpeng (@Peterpan0927) of STAR Labs SG Pte. Ltd., Ryan Hileman via Xint Code (xint.io)
Available for: macOS Tahoe
Impact: An app may be able to cause unexpected system termination
Description: A race condition was addressed with additional validation.
CVE-2026-28986: Chris Betz, Tristan Madani (@TristanInSec) from Talence Security, Ryan Hileman via Xint Code (xint.io)
Available for: macOS Tahoe
Impact: An app may be able to leak sensitive kernel state
Description: A logging issue was addressed with improved data redaction.
CVE-2026-28987: Dhiyanesh Selvaraj (@redroot97)
Available for: macOS Tahoe
Impact: A remote attacker may be able to cause a denial of service
Description: A type confusion issue was addressed with improved checks.
CVE-2026-28983: Ruslan Dautov
Available for: macOS Tahoe
Impact: Replying to an email could display remote images in Mail in Lockdown Mode
Description: A logic issue was addressed with improved checks.
CVE-2026-28929: Yiğit Can YILMAZ (@yilmazcanyigit)
Available for: macOS Tahoe
Impact: An attacker on the local network may be able to cause a denial-of-service
Description: The issue was addressed with improved memory handling.
CVE-2026-43653: Atul R V
Available for: macOS Tahoe
Impact: An attacker on the local network may be able to cause a denial-of-service
Description: A null pointer dereference was addressed with improved input validation.
CVE-2026-28985: Omar Cerrito
Available for: macOS Tahoe
Impact: A remote attacker may be able to cause unexpected system termination or corrupt kernel memory
Description: A use after free issue was addressed with improved memory management.
CVE-2026-43668: Anton Pakhunov, Ricardo Prado
Available for: macOS Tahoe
Impact: An attacker on the local network may be able to cause a denial-of-service
Description: An out-of-bounds write issue was addressed with improved bounds checking.
CVE-2026-43666: Ian van der Wurff (ian.nl)
Available for: macOS Tahoe
Impact: Processing a maliciously crafted file may lead to a denial-of-service or potentially disclose memory contents
Description: The issue was addressed with improved checks.
CVE-2026-28941: Michael DePlante (@izobashi) of TrendAI Zero Day Initiative
Available for: macOS Tahoe
Impact: Processing a maliciously crafted image may corrupt process memory
Description: The issue was addressed with improved memory handling.
CVE-2026-28940: Michael DePlante (@izobashi) of TrendAI Zero Day Initiative
Available for: macOS Tahoe
Impact: An attacker with physical access to a locked device may be able to view sensitive user information
Description: This issue was addressed with improved checks.
CVE-2026-28961: Dan Raviv
Available for: macOS Tahoe
Impact: An attacker may be able to track users through their IP address
Description: This issue was addressed through improved state management.
CVE-2026-28906: Ilya Sc. Jowell A.
Available for: macOS Tahoe
Impact: Parsing a maliciously crafted file may lead to an unexpected app termination
Description: An out-of-bounds write issue was addressed with improved input validation.
CVE-2026-43656: Peter Malone
Available for: macOS Tahoe
Impact: An app may be able to access protected user data
Description: A permissions issue was addressed with additional restrictions.
CVE-2026-43652: Asaf Cohen
Available for: macOS Tahoe
Impact: Processing a maliciously crafted image may corrupt process memory
Description: The issue was addressed with improved memory handling.
CVE-2026-39870: Peter Malone
Available for: macOS Tahoe
Impact: A remote attacker may be able to cause unexpected app termination
Description: A buffer overflow was addressed with improved bounds checking.
CVE-2026-28846: Peter Malone
Available for: macOS Tahoe
Impact: An app may be able to access user-sensitive data
Description: This issue was addressed by adding an additional prompt for user consent.
CVE-2026-28993: Doron Assness
Available for: macOS Tahoe
Impact: A remote attacker may be able to cause unexpected system termination
Description: A buffer overflow was addressed with improved bounds checking.
CVE-2026-28848: Peter Malone, Dave G. and Alex Radocea of Supernetworks
Available for: macOS Tahoe
Impact: An app may be able to access protected user data
Description: A permissions issue was addressed with additional restrictions.
CVE-2026-28930: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte. Ltd.
Available for: macOS Tahoe
Impact: An app may be able to cause a denial-of-service
Description: This issue was addressed with improved checks to prevent unauthorized actions.
CVE-2026-28974: Andy Koo (@andykoo) of Hexens
Available for: macOS Tahoe
Impact: An app may be able to access sensitive user data
Description: A race condition was addressed with additional validation.
CVE-2026-28996: Alex Radocea
Available for: macOS Tahoe
Impact: An app may be able to gain root privileges
Description: A consistency issue was addressed with improved state handling.
CVE-2026-28919: Amy (amys.website)
Available for: macOS Tahoe
Impact: An app may be able to access Contacts without user consent
Description: A race condition was addressed with improved handling of symbolic links.
CVE-2026-28924: Andreas Jaegersberger & Ro Achterberg of Nosebeard Labs, YingQi Shi (@Mas0nShi) of DBAppSecurity's WeBin lab
Available for: macOS Tahoe
Impact: An app may be able to observe unprotected user data
Description: A path handling issue was addressed with improved logic.
CVE-2026-39871: an anonymous researcher
Available for: macOS Tahoe
Impact: An app may be able to gain root privileges
Description: An information leakage was addressed with additional validation.
CVE-2026-28976: David Ige - Beryllium Security
Available for: macOS Tahoe
Impact: Processing maliciously crafted web content may prevent Content Security Policy from being enforced
Description: A validation issue was addressed with improved logic.
WebKit Bugzilla: 308906
CVE-2026-43660: Cantina
Available for: macOS Tahoe
Impact: Processing maliciously crafted web content may prevent Content Security Policy from being enforced
Description: The issue was addressed with improved input validation.
WebKit Bugzilla: 308675
CVE-2026-28907: Cantina
Available for: macOS Tahoe
Impact: Processing maliciously crafted web content may disclose sensitive user information
Description: This issue was addressed with improved access restrictions.
WebKit Bugzilla: 309698
CVE-2026-28962: Luke Francis, Vaagn Vardanian, kwak kiyong / kakaogames, Vitaly Simonovich, Adel Bouachraoui, greenbynox
Available for: macOS Tahoe
Impact: Processing maliciously crafted web content may lead to an unexpected Safari crash
Description: The issue was addressed with improved memory handling.
WebKit Bugzilla: 307669
CVE-2026-43658: Do Young Park
Available for: macOS Tahoe
Impact: Processing maliciously crafted web content may lead to an unexpected process crash
Description: The issue was addressed with improved memory handling.
WebKit Bugzilla: 308545
CVE-2026-28905: Yuhao Hu, Yuanming Lai, Chenggang Wu, and Zhe Wang
WebKit Bugzilla: 308707
CVE-2026-28847: DARKNAVY (@DarkNavyOrg), Anonymous working with TrendAI Zero Day Initiative, Daniel Rhea
WebKit Bugzilla: 309601
CVE-2026-28904: Luka Rački
WebKit Bugzilla: 310880
CVE-2026-28955: wac and Kookhwan Lee working with TrendAI Zero Day Initiative
WebKit Bugzilla: 310303
CVE-2026-28903: Mateusz Krzywicki (iVerify.io)
WebKit Bugzilla: 309628
CVE-2026-28953: Maher Azzouzi
WebKit Bugzilla: 309861
CVE-2026-28902: Tristan Madani (@TristanInSec) from Talence Security, Nathaniel Oh (@calysteon)
WebKit Bugzilla: 310207
CVE-2026-28901: Aisle offensive security research team (Joshua Rogers, Luigino Camastra, Igor Morgenstern, and Guido Vranken), Maher Azzouzi, Ngan Nguyen of Calif.io
WebKit Bugzilla: 311631
CVE-2026-28913: an anonymous researcher
Available for: macOS Tahoe
Impact: Processing maliciously crafted web content may lead to an unexpected process crash
Description: A use-after-free issue was addressed with improved memory management.
WebKit Bugzilla: 313939
CVE-2026-28883: kwak kiyong / kakaogames
Available for: macOS Tahoe
Impact: An app may be able to access sensitive user data
Description: This issue was addressed with improved data protection.
WebKit Bugzilla: 311228
CVE-2026-28958: Cantina
Available for: macOS Tahoe
Impact: Processing maliciously crafted web content may lead to an unexpected process crash
Description: The issue was addressed with improved input validation.
WebKit Bugzilla: 310527
CVE-2026-28917: Vitaly Simonovich
Available for: macOS Tahoe
Impact: Processing maliciously crafted web content may lead to an unexpected Safari crash
Description: A use-after-free issue was addressed with improved memory management.
WebKit Bugzilla: 310234
CVE-2026-28947: dr3dd
WebKit Bugzilla: 310544
CVE-2026-28946: Gia Bui (@yabeow) from Calif.io, dr3dd, w0wbox
WebKit Bugzilla: 312180
CVE-2026-28942: Milad Nasr and Nicholas Carlini with Claude, Anthropic
Available for: macOS Tahoe
Impact: A malicious iframe may use another website’s download settings
Description: The issue was addressed with improved UI handling.
WebKit Bugzilla: 311288
CVE-2026-28971: Khiem Tran
Available for: macOS Tahoe
Impact: Processing maliciously crafted web content may lead to an unexpected process crash
Description: The issue was addressed with improved memory handling.
WebKit Bugzilla: 311131
CVE-2026-28944: Kenneth Hsu of Palo Alto Networks, Jérôme DJOUDER, dr3dd
Available for: macOS Tahoe
Impact: An app may be able to execute arbitrary code with kernel privileges
Description: An out-of-bounds write issue was addressed with improved bounds checking.
CVE-2026-28819: Wang Yu
Available for: macOS Tahoe
Impact: An attacker in a privileged network position may be able to perform denial-of-service attack using crafted Wi-Fi packets
Description: A use after free issue was addressed with improved memory management.
CVE-2026-28994: Alex Radocea
Available for: macOS Tahoe
Impact: A maliciously crafted ZIP archive may bypass Gatekeeper checks
Description: A logic issue was addressed with improved file handling.
CVE-2026-28914: Andreas Jaegersberger & Ro Achterberg of Nosebeard Labs (nosebeard.co)
Available for: macOS Tahoe
Impact: Visiting a maliciously crafted website may leak sensitive data
Description: An information leakage was addressed with additional validation.
CVE-2026-28920: Brendon Tiszka of Google Project Zero
We would like to acknowledge Mikael Kinnman for their assistance.
We would like to acknowledge Asaf Cohen, Johan Wahyudi for their assistance.
We would like to acknowledge Iván Savransky, Kun Peeks (@SwayZGl1tZyyy), YingQi Shi (@Mas0nShi) of DBAppSecurity's WeBin lab for their assistance.
We would like to acknowledge Brian Carpenter for their assistance.
We would like to acknowledge Andreas Jaegersberger & Ro Achterberg of Nosebeard Labs for their assistance.
We would like to acknowledge Jordan Pittman for their assistance.
We would like to acknowledge Mustafa Calap for their assistance.
We would like to acknowledge an anonymous researcher for their assistance.
We would like to acknowledge Ryan Hileman via Xint Code (xint.io), an anonymous researcher for their assistance.
We would like to acknowledge Andreas Jaegersberger & Ro Achterberg of Nosebeard Labs for their assistance.
We would like to acknowledge Chris Staite and David Hardy of Menlo Security Inc for their assistance.
We would like to acknowledge Ilias Morad (@A2nkF_) for their assistance.
We would like to acknowledge Kun Peeks (@SwayZGl1tZyyy) for their assistance.
We would like to acknowledge Jason Grove for their assistance.
We would like to acknowledge Jeffery Kimbrow for their assistance.
We would like to acknowledge Asilbek Salimov for their assistance.
We would like to acknowledge Anand Patil for their assistance.
We would like to acknowledge Christopher Mathews for their assistance.
We would like to acknowledge Cem Onat Karagun, Surya Kushwaha for their assistance.
We would like to acknowledge sean mutuku for their assistance.
We would like to acknowledge Robert Mindo for their assistance.
We would like to acknowledge Yoav Magid for their assistance.
We would like to acknowledge Andreas Jaegersberger & Ro Achterberg of Nosebeard Labs for their assistance.
We would like to acknowledge Muhammad Zaid Ghifari (Mr.ZheeV), Kalimantan Utara, Qadhafy Muhammad Tera, Vitaly Simonovich for their assistance.
We would like to acknowledge Hyeonji Son (@jir4vv1t) of Demon Team for their assistance.
We would like to acknowledge Kun Peeks (@SwayZGl1tZyyy) for their assistance.
Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.
Published Date: May 11, 2026
Related vulnerabilities: CVE-2026-28974CVE-2026-28995CVE-2026-28985CVE-2026-28993CVE-2026-28942CVE-2026-28902CVE-2026-28978CVE-2026-28986CVE-2026-28947CVE-2026-28847CVE-2026-28944CVE-2026-28992CVE-2026-28953CVE-2026-28987CVE-2026-43660CVE-2026-28905CVE-2026-28925CVE-2026-39871CVE-2026-28954CVE-2026-28988CVE-2026-39869CVE-2026-43661CVE-2026-28819CVE-2026-28919CVE-2026-28952CVE-2026-28907CVE-2026-43655CVE-2026-28994CVE-2026-28940CVE-2026-28846CVE-2026-28990CVE-2026-28901CVE-2026-28962CVE-2026-28969CVE-2026-28956CVE-2026-28959CVE-2026-28977CVE-2026-39870CVE-2026-28913CVE-2026-28906CVE-2026-28996CVE-2026-28971CVE-2026-1837CVE-2026-43666CVE-2026-28941CVE-2026-28914CVE-2026-43653CVE-2026-28903CVE-2026-43652CVE-2026-28920CVE-2026-28976CVE-2026-28991CVE-2026-43659CVE-2026-43658CVE-2026-43654CVE-2026-28897CVE-2026-28915CVE-2026-28924CVE-2026-28848CVE-2026-28972CVE-2026-28936CVE-2026-28929CVE-2026-28917CVE-2026-28951CVE-2026-43656CVE-2026-28918CVE-2026-28943CVE-2026-28946CVE-2026-28923CVE-2026-43668CVE-2026-28883CVE-2026-28904CVE-2026-28958CVE-2026-28922CVE-2026-28983CVE-2026-28955CVE-2026-28961CVE-2026-28908CVE-2026-28930
rsync 3.4.3 (20 May 2026) - multiple vulnerabilities fixed
2026-05-20T04:18:43+0000 by Alexandre Dulaunoyhttps://download.samba.org/pub/rsync/NEWS.html
SECURITY FIXES: Six CVEs are fixed in this release. All six are assigned by VulnCheck as CNA. Affected versions are 3.4.2 and earlier in every case. Three of the six (CVE-2026-29518, CVE-2026-43617, CVE-2026-43619) require non-default daemon configuration to reach: the first and third need use chroot = no for a module, the second needs daemon chroot = ... set in rsyncd.conf. Two (CVE-2026-43618, CVE-2026-43620) are reachable from a normal pull or a normal authenticated daemon connection. The sixth (CVE-2026-45232) is reachable only when RSYNC_PROXY is set and the proxy (or a MITM) returns a pathological response. Many thanks to the external researchers who reported these issues.
CVE-2026-29518 (CVSS v4.0 7.3, HIGH): TOCTOU symlink race condition allowing local privilege escalation in daemon mode without chroot. An rsync daemon configured with "use chroot = no" was exposed to a time-of-check / time-of-use race on parent path components: a local attacker with write access to a module could replace a parent directory component with a symlink between the receiver's check and its open(), redirecting reads (basis-file disclosure) and writes (file overwrite) outside the module. Default "use chroot = yes" is not exposed. secure_relative_open() (added in 3.4.0 for CVE-2024-12086) was previously unused in the daemon-no-chroot case; the fix enables it there and reroutes the sender's read-path opens through it. Reported by Nullx3D (Batuhan Sancak), Damien Neil and Michael Stapelberg.
CVE-2026-43617 (CVSS v3.1 4.8, MEDIUM): Hostname/ACL bypass on an rsync daemon configured with daemon chroot = /X in rsyncd.conf when the chroot tree lacks DNS resolution support. The reverse-DNS lookup of the connecting client was performed after the daemon chroot had been entered; if /X did not contain the libc resolver fixtures (/etc/resolv.conf, /etc/nsswitch.conf, /etc/hosts, NSS service modules) the lookup failed and the connecting hostname was set to "UNKNOWN", causing hostname-based deny rules to silently fail open. IP-based ACLs are unaffected. The per-module use chroot setting is unrelated to this issue. The fix performs the lookup before entering the daemon chroot. Reported by MegaManSec.
CVE-2026-43618 (CVSS v3.1 8.1, HIGH): Integer overflow in the compressed-token decoder enabling remote memory disclosure to an authenticated daemon peer. The receiver accumulated a 32-bit signed counter without overflow checking; a malicious sender could trigger an overflow that, with careful manipulation, leaked process memory contents to the attacker -- environment variables, passwords, heap and library pointers -- significantly weakening ASLR. The fix bounds the counter and adds wire-input validation in several adjacent places (defence-in-depth). Workaround for older releases: refuse options = compress in rsyncd.conf. Reported by Omar Elsayed.
CVE-2026-43619 (CVSS v3.1 6.3, MEDIUM): Symlink races on path-based system calls in "use chroot = no" daemon mode (generalisation of CVE-2026-29518). Earlier fixes for symlink races on the receiver's open() call missed the same race class on every other path-based system call: chmod, lchown, utimes, rename, unlink, mkdir, symlink, mknod, link, rmdir and lstat. The fix routes each affected path-based syscall through a parent dirfd opened under RESOLVE_BENEATH-equivalent kernel-enforced confinement (openat2 on Linux 5.6+, O_RESOLVE_BENEATH on FreeBSD 13+ and macOS 15+, per-component O_NOFOLLOW walk elsewhere). Default "use chroot = yes" is not exposed. Reported by Andrew Tridgell as a follow-on audit of CVE-2026-29518.
CVE-2026-43620 (CVSS v3.1 6.5, MEDIUM): Out-of-bounds read in the receiver's recv_files() enabling remote denial-of-service of any client pulling from a malicious server (incomplete fix of commit 797e17f). The earlier parent_ndx<0 guard added to send_files() was not applied to the visually-identical block in recv_files(). A malicious rsync server can drive any connecting client into a deterministic SIGSEGV by setting CF_INC_RECURSE in the compatibility flags and sending a crafted file list and transfer record. inc_recurse is the protocol-30+ default, so no special options are required on the victim. Workaround for older releases: --no-inc-recursive on the client. Reported by Pratham Gupta.
CVE-2026-45232 (CVSS v3.1 3.1, LOW): Off-by-one out-of-bounds stack write in the rsync client's HTTP CONNECT proxy handler (establish_proxy_connection() in socket.c). After issuing the CONNECT request, rsync read the proxy's first response line one byte at a time into a 1024-byte stack buffer with the bound cp < &buffer[sizeof buffer - 1]. If the proxy (or a MITM in front of it) returned 1023+ bytes on that first line without a newline terminator, cp exited the loop pointing at a buffer slot the loop never wrote, leaving *cp holding stale stack data from the earlier snprintf() of the outgoing CONNECT request. The post-loop logic then wrote a single \0 one byte past the end of the buffer on the stack. Reach is client-side only, and only when RSYNC_PROXY is set so rsync tunnels an rsync:// connection through an HTTP CONNECT proxy. The written byte is always \0 and the offset is fixed by the buffer size, not attacker-chosen, so this is not an arbitrary-write primitive: practical impact is corruption of one adjacent stack byte and possible later misbehaviour or crash. The fix detects the "buffer filled without finding \n" case explicitly by position and refuses the response with "proxy response line too long". Reported by Aisle Research via Michal Ruprich (rsync-3.4.1-2.el10 QE).
In addition to the six CVE fixes, this release adds defence-in-depth hardening on several adjacent paths: bounded wire-supplied counts and lengths in flist/io/acls/xattrs, a guard against length underflow in cumulative snprintf() callers, a parent block-index bounds check on the receiver, a NULL check in read_delay_line(), a lower ceiling on MAX_WIRE_DEL_STAT to avoid signed-int overflow in the read_del_stats() accumulator, rejection of hyphen-prefixed remote-shell hostnames (defence-in-depth against argv-injection in tooling that forwards untrusted input into the hostspec position; reported by Aisle Research via Michal Ruprich), and a NULL-check on localtime_r() in timestring() to keep a malicious server from crashing the client by advertising a file with an out-of-range modtime.
Related vulnerabilities: CVE-2026-43618CVE-2024-12086CVE-2026-45232CVE-2026-43620CVE-2026-43619CVE-2026-43617CVE-2026-29518
Today, 11th May 2026 CERT is releasing a set of six CVEs for serious security vulnerabilities in dnsmasq. These are all long-standing bugs which apply to pretty much all non-ancient versions. The CVE has been pre-disclosed to vendors, so hopefully they will be releasing patched versions of their dnsmasq packages in a timely manner.
Details and patches are available on the website at
https://thekelleys.org.uk/dnsmasq/CVE/
and I have made "2.92rel2" release of the current 2.92 dnsmasq stable release which is downloadable from the usual place and has had these patches applied.
At the same time, the commits which fix these bugs in the development tree will be uploaded. Some of these use the same patches as the backports, but some are more comprehensive re-writes to tackle root-causes.
There has been something of a revolution in AI-based security research, and I've spent a lot of time over the last couple of months dealing with bug reports, weeding duplicates (so many duplicates!) and triaging bugs into those which need vendor pre-disclosure and those which it's better to make public and fix immediately. Those judgements have been necessarily subjective, but given the number of times "good guys" have found these bugs, there's no doubt that "bad guys" have been able to do the same, so long embargoes seem kind of pointless. There's also the problem that the amount of time and effort, for all actors, needed to co-ordinate an embargo and provide backports is huge. I think the priority for most bugs is to fix them going forward, and have new dnsmasq releases as bug-free as possible. To this end, you may have noticed that there have been a lot of security-fix commits to the git repo in the weeks prior to this announcement.
I will shortly tag dnsmasq-2.93rc1 and the aim is to get a stable 2.93 release done ASAP. Testing of release candidate by members here is important and I'd like to encourage anyone who can to do that as soon as they can. With luck, 2.93 could be out in a week or so.
The tsunami of AI-generated bug reports shows no signs of stopping, so it is likely that this process will have to be repeated again soon. There's a tension between getting as much as possible of the ongoing bug stream fixed in 2.93 and it's timely release. I plan to prioritise timeliness, and keep working after that as necessary.
Related vulnerabilities: CVE-2026-4892CVE-2026-2291CVE-2026-4891CVE-2026-5172CVE-2026-4890CVE-2026-4893
Security Vulnerabilities fixed in Firefox 150.0.3 — Mozilla
Mozilla Foundation Security Advisory 2026-45
Announced
May 12, 2026
Impact
high
Products
Firefox
Fixed in
- Firefox 150.0.3
#CVE-2026-8388: Incorrect boundary conditions in the JavaScript Engine: JIT component
Reporter
ggwhyp
Impact
high
References
#CVE-2026-8389: JIT miscompilation in the JavaScript Engine: JIT component
Reporter
ggwhyp
Impact
high
References
#CVE-2026-8390: Use-after-free in the JavaScript: WebAssembly component
Reporter
OpenAI Preparedness, Bill Demirkapi
Impact
high
References
#CVE-2026-8391: Other issue in the JavaScript Engine component
Reporter
ggwhyp
Impact
high
References
#CVE-2026-8401: Sandbox escape in the Profile Backup component
Reporter
ggwhyp
Impact
high
References
Related vulnerabilities: CVE-2026-8391CVE-2026-8401CVE-2026-8389CVE-2026-8390CVE-2026-8388
Insufficient CSRF token and capability checks were applied to an MNet admin setting. Severity/Risk: Minor Versions affected: 5.1 to 5.1.3, 5.0 to 5.0.6, 4.5 to 4.5.10 and earlier unsupported versions Versions fixed: 5.1.4, 5.0.7 and 4.5.11 Reported by: Vincent Schneider CVE identifier: CVE-2026-7278 Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84495 Tracker issue: MDL-84495 CSRF and missing capability check in admin/mnet/peers.php
The upstream AWS SDK for PHP library was upgraded, which included a security fix. Severity/Risk: Minor Versions affected: 5.1 to 5.1.3, 5.0 to 5.0.6, 4.5 to 4.5.10 and earlier unsupported versions Versions fixed: 5.1.4, 5.0.7 and 4.5.11 Reported by: Michael Hawkins CVE identifier: CVE-2025-14761 Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-87598 Tracker issue: MDL-87598 Upgrade AWS SDK for PHP including security fix (upstream)
The grade penalty rules reset function did not include the necessary token to prevent a CSRF risk. Severity/Risk: Minor Versions affected: 5.1 to 5.1.3 and 5.0 to 5.0.6 Versions fixed: 5.1.4 and 5.0.7 Reported by: Khải nguyễn Đặng CVE identifier: CVE-2026-7277 Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-88087 Tracker issue: MDL-88087 CSRF risk in reset penalty rules functionality
The PHPUnit version in Moodle LMS 4.5 required updating to avoid an upstream Poisoned Pipeline Execution (PPE) risk. Severity/Risk: Minor Versions affected: 4.5 to 4.5.10 Versions fixed: 4.5.11 Reported by: Huong Nguyen CVE identifier: CVE-2026-24765 Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-88381 Tracker issue: MDL-88381 Upgrade PHPUnit version to avoid a security risk (upstream)
A flaw in message handling of conversations with deleted users could result in active users losing access to their private messages. Severity/Risk: Minor Versions affected: 5.1 to 5.1.3, 5.0 to 5.0.6, 4.5 to 4.5.10 and earlier unsupported versions Versions fixed: 5.1.4, 5.0.7 and 4.5.11 Reported by: Adam Jenkins CVE identifier: CVE-2026-7276 Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-87760 Tracker issue: MDL-87760 Message panel breaks with messages from deleted users (messaging DoS risk)
A remote code execution risk was identified in Moodle's Google Drive repository plugin. Severity/Risk: Serious Versions affected: 5.1 to 5.1.3, 5.0 to 5.0.6, 4.5 to 4.5.10 and earlier unsupported versions Versions fixed: 5.1.4, 5.0.7 and 4.5.11 Reported by: Rojan Rijal Workaround: Disable the Google Drive repository plugin until the patch has been applied. CVE identifier: CVE-2026-7275 Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-88423 Tracker issue: MDL-88423 RCE risk via Moodle's Google Drive repository plugin
An SQL injection risk was identified in the "external database" authentication plugin (auth_db). Note: This only affected sites with the auth_db authentication plugin enabled. Severity/Risk: Serious Versions affected: 5.1 to 5.1.3, 5.0 to 5.0.6, 4.5 to 4.5.10 and earlier unsupported versions Versions fixed: 5.1.4, 5.0.7 and 4.5.11 Reported by: Melvinsh CVE identifier: CVE-2026-7274 Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-88138 Tracker issue: MDL-88138 SQL injection risk in external database authentication plugin
Related vulnerabilities: CVE-2025-14761CVE-2026-7274CVE-2026-24765CVE-2026-7277CVE-2026-7275CVE-2026-7278CVE-2026-7276
[exim-announce] Exim 4.99.2 Released (security release)
2026-05-02T04:40:22+0000 by Alexandre Dulaunoyhttps://lists.exim.org/lurker/message/20260429.121733.f58d9686.en.html
Author: Bernard Quatermass via Exim-announce Date: 2026-04-29 14:17 +200 To: Exim Announcements CC: Bernard Quatermass Subject: [exim-announce] Exim 4.99.2 Released (security release) Dear Exim users and maintainers,
we are pleased to announce the availability of release 4.99.2 of Exim.
This is a security release.
It fixes the following vulnerabilities.
CVE-2026-40684 Possible crash with malicious DNS data when using musl libc
On systems using musl libc (not glibc) due to an oddity in octal printing it is possible to crash the connection instance when malformed DNS data is present in PTR records.
CVE-2026-40685 Possible OOB read/write on corrupt JSON in header
configurations using json operators on invalid externally-provided input could trigger heap corruption.
CVE-2026-40686 Possible OOB read with large UTF8 trailing characters
configurations using utf8 operators on malformed utf8 in headers could trigger OOB reads and might trigger some data leak if error messages are required for subsequent emails in the current connection and similar malformed headers are present.
CVE-2026-40687 Possible OOB read/write with SPA authenticator
in configurations using the SPA authentication driver to a hostile/compromised external SPA/NTLM connnection it is possible to trigger an OOB read/write and crash the connection instance or possibly leak heap data to the instance.
Older Exim versions may or may not be vulnerable but are not actively maintained.
We would like to thank the thousands of unnamed and uncredited authors whose works were ingested into the slopbots to "assist" in the reports for these vulnerabilities.
Exim 4.99.2 is available:
-
as tarball
- https://ftp.exim.org/pub/exim/exim4/
- https://code.exim.org/exim/exim/releases
-
directly from Git: https://code.exim.org/exim/exim tag: exim-4.99.2
The signatures on the release tarballs should be
- key ID 0xBCE58C8CE41F32DF Email: jgh@???
-- Bernard Quatermass
Related vulnerabilities: CVE-2026-40685CVE-2026-40686CVE-2026-40687CVE-2026-40684
Debian Security Advisory DSA-6240-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff May 01, 2026 https://www.debian.org/security/faq
Package : imagemagick CVE ID : CVE-2026-32636 CVE-2026-33535 CVE-2026-33536 CVE-2026-33899 CVE-2026-33900 CVE-2026-33901 CVE-2026-33902 CVE-2026-33905 CVE-2026-33908 CVE-2026-34238 CVE-2026-40169 CVE-2026-40183 CVE-2026-40310 CVE-2026-40311 CVE-2026-40312
Multiple security vulnerabilities were discovered in imagemagick, a software suite used for editing and manipulating digital images, which could lead to denial of service, information disclosure or potentially arbitrary code execution if malformed images are processed.
For the stable distribution (trixie), these problems have been fixed in version 8:7.1.1.43+dfsg1-1+deb13u8.
We recommend that you upgrade your imagemagick packages.
For the detailed security status of imagemagick please refer to its security tracker page at: https://security-tracker.debian.org/tracker/imagemagick
Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/
Related vulnerabilities: CVE-2026-34238CVE-2026-33905CVE-2026-32636CVE-2026-40310CVE-2026-40312CVE-2026-33902CVE-2026-33901CVE-2026-40183CVE-2026-33535CVE-2026-33908CVE-2026-33899CVE-2026-33900CVE-2026-40169CVE-2026-40311CVE-2026-33536