This document describes the security content of iOS 18.7.9 and iPadOS 18.7.9.
For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security releases page.
Apple security documents reference vulnerabilities by CVE-ID when possible.
For more information about security, see the Apple Product Security page.
Released May 11, 2026
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: An app may be able to access sensitive user data
Description: An authorization issue was addressed with improved state management.
CVE-2026-28877: Rosyna Keller of Totally Not Malicious Software
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: An app may be able to cause unexpected system termination
Description: A buffer overflow was addressed with improved bounds checking.
CVE-2026-28959: Dave G.
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: A malicious app may be able to break out of its sandbox
Description: A logic issue was addressed with improved restrictions.
CVE-2026-28995: Vamshi Paili, Tony Gorez (@tonygo_) for Reverse Society
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: Processing an audio stream in a maliciously crafted media file may terminate the process
Description: The issue was addressed with improved memory handling.
CVE-2026-39869: David Ige of Beryllium Security
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: A remote attacker may be able to cause a denial-of-service
Description: A resource exhaustion issue was addressed with improved input validation.
CVE-2026-28872: Alvin Aries Tapia
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: A remote attacker may be able to cause a denial-of-service
Description: A denial-of-service issue was addressed with improved input validation.
CVE-2026-28894: an anonymous researcher
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: Processing a maliciously crafted file may lead to unexpected app termination
Description: The issue was addressed with improved checks.
CVE-2026-28936: Andreas Jaegersberger & Ro Achterberg of Nosebeard Labs
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: An app may be able to access sensitive user data
Description: A race condition was addressed with additional validation.
CVE-2026-43659: Alex Radocea
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: An app may be able to access sensitive user data
Description: An information leakage was addressed with additional validation.
CVE-2026-28870: XiguaSec
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: Processing a maliciously crafted file may lead to unexpected app termination
Description: The issue was addressed with improved bounds checks.
CVE-2026-28977: Suresh Sundaram
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: An attacker may be able to cause unexpected app termination
Description: A memory corruption vulnerability was addressed with improved locking.
CVE-2026-28992: Johnny Franks (@zeroxjf)
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: An app may be able to determine kernel memory layout
Description: A logging issue was addressed with improved data redaction.
CVE-2026-28943: Google Threat Analysis Group
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: An app may be able to cause unexpected system termination
Description: A use after free issue was addressed with improved memory management.
CVE-2026-28969: Mihalis Haatainen, Ari Hawking, Ashish Kunwar
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: An app may be able to disclose kernel memory
Description: The issue was addressed with improved memory handling.
CVE-2026-43654: Vaagn Vardanian, Nathaniel Oh (@calysteon)
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: A maliciously crafted disk image may bypass Gatekeeper checks
Description: A file quarantine bypass was addressed with additional checks.
CVE-2026-28954: Yiğit Can YILMAZ (@yilmazcanyigit)
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: A local user may be able to cause unexpected system termination or read kernel memory
Description: A buffer overflow was addressed with improved input validation.
CVE-2026-28897: Robert Tran, popku1337, Billy Jheng Bing Jhong and Pan Zhenpeng (@Peterpan0927) of STAR Labs SG Pte. Ltd., Aswin kumar Gokulakannan
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: An app may be able to cause unexpected system termination
Description: An integer overflow was addressed with improved input validation.
CVE-2026-28952: Calif.io in collaboration with Claude and Anthropic Research
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: An app may be able to gain root privileges
Description: An authorization issue was addressed with improved state management.
CVE-2026-28951: Csaba Fitzl (@theevilbit) of Iru
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: An app may be able to cause unexpected system termination or write kernel memory
Description: An out-of-bounds write issue was addressed with improved input validation.
CVE-2026-28972: Billy Jheng Bing Jhong and Pan Zhenpeng (@Peterpan0927) of STAR Labs SG Pte. Ltd., Ryan Hileman via Xint Code (xint.io)
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: An app may be able to cause unexpected system termination
Description: A race condition was addressed with additional validation.
CVE-2026-28986: Tristan Madani (@TristanInSec) from Talence Security, Ryan Hileman via Xint Code (xint.io), Chris Betz
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: An app may be able to leak sensitive kernel state
Description: A logging issue was addressed with improved data redaction.
CVE-2026-28987: Dhiyanesh Selvaraj (@redroot97)
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: A remote attacker may be able to cause a denial of service
Description: A type confusion issue was addressed with improved checks.
CVE-2026-28983: Ruslan Dautov
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: An app may be able to enumerate a user's installed apps
Description: This issue was addressed with improved checks.
CVE-2026-28882: Ilya Andr (andrd3v), Ilias Morad (A2nkF) of Voynich Group, Duy Trần (@khanhduytran0), @hugeBlack
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: Replying to an email could display remote images in Mail in Lockdown Mode
Description: A logic issue was addressed with improved checks.
CVE-2026-28929: Yiğit Can YILMAZ (@yilmazcanyigit)
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: An attacker on the local network may be able to cause a denial-of-service
Description: The issue was addressed with improved memory handling.
CVE-2026-43653: Atul R V
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: A remote attacker may be able to cause unexpected system termination or corrupt kernel memory
Description: A use after free issue was addressed with improved memory management.
CVE-2026-43668: Ricardo Prado, Anton Pakhunov
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: An attacker on the local network may be able to cause a denial-of-service
Description: An out-of-bounds write issue was addressed with improved bounds checking.
CVE-2026-43666: Ian van der Wurff (ian.nl)
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: Processing a maliciously crafted image may corrupt process memory
Description: The issue was addressed with improved memory handling.
CVE-2026-28940: Michael DePlante (@izobashi) of TrendAI Zero Day Initiative
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: Processing a maliciously crafted file may lead to a denial-of-service or potentially disclose memory contents
Description: The issue was addressed with improved checks.
CVE-2026-28941: Michael DePlante (@izobashi) of TrendAI Zero Day Initiative
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: An attacker may be able to track users through their IP address
Description: This issue was addressed through improved state management.
CVE-2026-28906: Ilya Sc. Jowell A.
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: An app may be able to circumvent App Privacy Report logging
Description: This issue was addressed with additional entitlement checks.
CVE-2026-28873: Guy Dor
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: Parsing a maliciously crafted file may lead to an unexpected app termination
Description: An out-of-bounds write issue was addressed with improved input validation.
CVE-2026-43656: Peter Malone
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: A remote attacker may be able to cause unexpected app termination
Description: A buffer overflow was addressed with improved bounds checking.
CVE-2026-28846: Peter Malone
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: An app may be able to access user-sensitive data
Description: This issue was addressed by adding an additional prompt for user consent.
CVE-2026-28993: Doron Assness
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: An app may be able to elevate privileges
Description: A logic issue was addressed with improved checks.
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: An app may be able to capture a user's screen
Description: An issue with app access to camera metadata was addressed with improved logic.
CVE-2026-28957: Adriatik Raci
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: Processing maliciously crafted web content may prevent Content Security Policy from being enforced
Description: The issue was addressed with improved input validation.
WebKit Bugzilla: 308675
CVE-2026-28907: Cantina
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: Processing maliciously crafted web content may prevent Content Security Policy from being enforced
Description: A validation issue was addressed with improved logic.
WebKit Bugzilla: 308906
CVE-2026-43660: Cantina
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: Processing maliciously crafted web content may lead to an unexpected process crash
Description: The issue was addressed with improved memory handling.
WebKit Bugzilla: 308707
CVE-2026-28847: DARKNAVY (@DarkNavyOrg), Daniel Rhea, Anonymous working with TrendAI Zero Day Initiative
WebKit Bugzilla: 309601
CVE-2026-28904: Luka Rački
WebKit Bugzilla: 310303
CVE-2026-28903: Mateusz Krzywicki (iVerify.io)
WebKit Bugzilla: 310880
CVE-2026-28955: wac and Kookhwan Lee working with TrendAI Zero Day Initiative
WebKit Bugzilla: 309628
CVE-2026-28953: Maher Azzouzi
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: Processing maliciously crafted web content may disclose sensitive user information
Description: This issue was addressed with improved access restrictions.
WebKit Bugzilla: 309698
CVE-2026-28962: Vitaly Simonovich, Vaagn Vardanian, Luke Francis, kwak kiyong / kakaogames, greenbynox, Adel Bouachraoui
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: Processing maliciously crafted web content may lead to an unexpected process crash
Description: The issue was addressed with improved input validation.
WebKit Bugzilla: 310527
CVE-2026-28917: Vitaly Simonovich
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: An app may be able to execute arbitrary code with kernel privileges
Description: An out-of-bounds write issue was addressed with improved bounds checking.
CVE-2026-28819: Wang Yu
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: An attacker in a privileged network position may be able to perform denial-of-service attack using crafted Wi-Fi packets
Description: A use after free issue was addressed with improved memory management.
CVE-2026-28994: Alex Radocea
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: Visiting a maliciously crafted website may leak sensitive data
Description: An information leakage was addressed with additional validation.
CVE-2026-28920: Brendon Tiszka of Google Project Zero
We would like to acknowledge Ryan Hileman via Xint Code (xint.io) for their assistance.
We would like to acknowledge Kun Peeks (@SwayZGl1tZyyy) for their assistance.
We would like to acknowledge kado for their assistance.
We would like to acknowledge Bishal Kafle for their assistance.
We would like to acknowledge Asaf Cohen for their assistance.