About the security content of tvOS 26.5

This document describes the security content of tvOS 26.5.

About Apple security updates

For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security releases page.

Apple security documents reference vulnerabilities by CVE-ID when possible.

For more information about security, see the Apple Product Security page.

tvOS 26.5

Accelerate

Available for: Apple TV HD and Apple TV 4K (all models)

Impact: An app may be able to cause a denial-of-service

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2026-28991: Seiji Sakurai (@HeapSmasher)

APFS

Available for: Apple TV HD and Apple TV 4K (all models)

Impact: An app may be able to cause unexpected system termination

Description: A buffer overflow was addressed with improved bounds checking.

CVE-2026-28959: Dave G.

App Intents

Available for: Apple TV HD and Apple TV 4K (all models)

Impact: A malicious app may be able to break out of its sandbox

Description: A logic issue was addressed with improved restrictions.

CVE-2026-28995: Vamshi Paili, Tony Gorez (@tonygo_) for Reverse Society

AppleJPEG

Available for: Apple TV HD and Apple TV 4K (all models)

Impact: Processing a maliciously crafted image may lead to a denial-of-service

Description: This is a vulnerability in open source code and Apple Software is among the affected projects. The CVE-ID was assigned by a third party. Learn more about the issue and CVE-ID at cve.org.

CVE-2026-1837

AppleJPEG

Available for: Apple TV HD and Apple TV 4K (all models)

Impact: Processing a maliciously crafted media file may lead to unexpected app termination or corrupt process memory

Description: A memory corruption issue was addressed with improved input validation.

CVE-2026-28956: impost0r (ret2plt)

Audio

Available for: Apple TV HD and Apple TV 4K (all models)

Impact: Processing an audio stream in a maliciously crafted media file may terminate the process

Description: The issue was addressed with improved memory handling.

CVE-2026-39869: David Ige of Beryllium Security

CoreSymbolication

Available for: Apple TV HD and Apple TV 4K (all models)

Impact: Parsing a maliciously crafted file may lead to an unexpected app termination

Description: An out-of-bounds access issue was addressed with improved bounds checking.

CVE-2026-28918: Niels Hofmans, Anonymous working with TrendAI Zero Day Initiative

ImageIO

Available for: Apple TV HD and Apple TV 4K (all models)

Impact: Processing a maliciously crafted image may corrupt process memory

Description: A buffer overflow issue was addressed with improved memory handling.

CVE-2026-43661: an anonymous researcher

ImageIO

Available for: Apple TV HD and Apple TV 4K (all models)

Impact: Processing a maliciously crafted file may lead to unexpected app termination

Description: The issue was addressed with improved bounds checks.

CVE-2026-28977: Suresh Sundaram

ImageIO

Available for: Apple TV HD and Apple TV 4K (all models)

Impact: Processing a maliciously crafted image may corrupt process memory

Description: The issue was addressed with improved memory handling.

CVE-2026-28990: Jiri Ha, Arni Hardarson

IOHIDFamily

Available for: Apple TV HD and Apple TV 4K (all models)

Impact: An attacker may be able to cause unexpected app termination

Description: A memory corruption vulnerability was addressed with improved locking.

CVE-2026-28992: Johnny Franks (@zeroxjf)

IOHIDFamily

Available for: Apple TV HD and Apple TV 4K (all models)

Impact: An app may be able to determine kernel memory layout

Description: A logging issue was addressed with improved data redaction.

CVE-2026-28943: Google Threat Analysis Group

IOKit

Available for: Apple TV HD and Apple TV 4K (all models)

Impact: An app may be able to cause unexpected system termination

Description: A use after free issue was addressed with improved memory management.

CVE-2026-28969: Mihalis Haatainen, Ari Hawking, Ashish Kunwar

IOSurfaceAccelerator

Available for: Apple TV HD and Apple TV 4K (all models)

Impact: An app may be able to cause unexpected system termination or read kernel memory

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2026-43655: Somair Ansar and an anonymous researcher

Kernel

Available for: Apple TV HD and Apple TV 4K (all models)

Impact: An app may be able to disclose kernel memory

Description: The issue was addressed with improved memory handling.

CVE-2026-43654: Vaagn Vardanian, Nathaniel Oh (@calysteon)

Kernel

Available for: Apple TV HD and Apple TV 4K (all models)

Impact: A local user may be able to cause unexpected system termination or read kernel memory

Description: A buffer overflow was addressed with improved input validation.

CVE-2026-28897: popku1337, Billy Jheng Bing Jhong and Pan Zhenpeng (@Peterpan0927) of STAR Labs SG Pte. Ltd., Robert Tran, Aswin kumar Gokulakannan

Kernel

Available for: Apple TV HD and Apple TV 4K (all models)

Impact: An app may be able to cause unexpected system termination or write kernel memory

Description: An out-of-bounds write issue was addressed with improved input validation.

CVE-2026-28972: Billy Jheng Bing Jhong and Pan Zhenpeng (@Peterpan0927) of STAR Labs SG Pte. Ltd., Ryan Hileman via Xint Code (xint.io)

Kernel

Available for: Apple TV HD and Apple TV 4K (all models)

Impact: An app may be able to cause unexpected system termination

Description: A race condition was addressed with additional validation.

CVE-2026-28986: Chris Betz, Tristan Madani (@TristanInSec) from Talence Security, Ryan Hileman via Xint Code (xint.io)

Kernel

Available for: Apple TV HD and Apple TV 4K (all models)

Impact: An app may be able to leak sensitive kernel state

Description: A logging issue was addressed with improved data redaction.

CVE-2026-28987: Dhiyanesh Selvaraj (@redroot97)

LaunchServices

Available for: Apple TV HD and Apple TV 4K (all models)

Impact: A remote attacker may be able to cause a denial of service

Description: A type confusion issue was addressed with improved checks.

CVE-2026-28983: Ruslan Dautov

mDNSResponder

Available for: Apple TV HD and Apple TV 4K (all models)

Impact: An attacker on the local network may be able to cause a denial-of-service

Description: The issue was addressed with improved memory handling.

CVE-2026-43653: Atul R V

mDNSResponder

Available for: Apple TV HD and Apple TV 4K (all models)

Impact: An attacker on the local network may be able to cause a denial-of-service

Description: A null pointer dereference was addressed with improved input validation.

CVE-2026-28985: Omar Cerrito

mDNSResponder

Available for: Apple TV HD and Apple TV 4K (all models)

Impact: A remote attacker may be able to cause unexpected system termination or corrupt kernel memory

Description: A use after free issue was addressed with improved memory management.

CVE-2026-43668: Anton Pakhunov, Ricardo Prado

mDNSResponder

Available for: Apple TV HD and Apple TV 4K (all models)

Impact: An attacker on the local network may be able to cause a denial-of-service

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2026-43666: Ian van der Wurff (ian.nl)

Model I/O

Available for: Apple TV HD and Apple TV 4K (all models)

Impact: Processing a maliciously crafted image may corrupt process memory

Description: The issue was addressed with improved memory handling.

CVE-2026-28940: Michael DePlante (@izobashi) of TrendAI Zero Day Initiative

SceneKit

Available for: Apple TV HD and Apple TV 4K (all models)

Impact: A remote attacker may be able to cause unexpected app termination

Description: A buffer overflow was addressed with improved bounds checking.

CVE-2026-28846: Peter Malone

Spotlight

Available for: Apple TV HD and Apple TV 4K (all models)

Impact: An app may be able to cause a denial-of-service

Description: This issue was addressed with improved checks to prevent unauthorized actions.

CVE-2026-28974: Andy Koo (@andykoo) of Hexens

Storage

Available for: Apple TV HD and Apple TV 4K (all models)

Impact: An app may be able to access sensitive user data

Description: A race condition was addressed with additional validation.

CVE-2026-28996: Alex Radocea

WebKit

Available for: Apple TV HD and Apple TV 4K (all models)

Impact: Processing maliciously crafted web content may prevent Content Security Policy from being enforced

Description: A validation issue was addressed with improved logic.

CVE-2026-43660: Cantina

WebKit

Available for: Apple TV HD and Apple TV 4K (all models)

Impact: Processing maliciously crafted web content may prevent Content Security Policy from being enforced

Description: The issue was addressed with improved input validation.

CVE-2026-28907: Cantina

WebKit

Available for: Apple TV HD and Apple TV 4K (all models)

Impact: Processing maliciously crafted web content may lead to an unexpected Safari crash

Description: The issue was addressed with improved memory handling.

CVE-2026-43658: Do Young Park

WebKit

Available for: Apple TV HD and Apple TV 4K (all models)

Impact: Processing maliciously crafted web content may lead to an unexpected process crash

Description: The issue was addressed with improved memory handling.

CVE-2026-28905: Yuhao Hu, Yuanming Lai, Chenggang Wu, and Zhe Wang

CVE-2026-28847: DARKNAVY (@DarkNavyOrg), Anonymous working with TrendAI Zero Day Initiative, Daniel Rhea

CVE-2026-28904: Luka Rački

CVE-2026-28955: wac and Kookhwan Lee working with TrendAI Zero Day Initiative

CVE-2026-28903: Mateusz Krzywicki (iVerify.io)

CVE-2026-28953: Maher Azzouzi

CVE-2026-28902: Tristan Madani (@TristanInSec) from Talence Security, Nathaniel Oh (@calysteon)

CVE-2026-28901: Aisle offensive security research team (Joshua Rogers, Luigino Camastra, Igor Morgenstern, and Guido Vranken), Maher Azzouzi, Ngan Nguyen of Calif.io

CVE-2026-28913: an anonymous researcher

WebKit

Available for: Apple TV HD and Apple TV 4K (all models)

Impact: Processing maliciously crafted web content may lead to an unexpected process crash

Description: A use-after-free issue was addressed with improved memory management.

CVE-2026-28883: kwak kiyong / kakaogames

WebKit

Available for: Apple TV HD and Apple TV 4K (all models)

Impact: Processing maliciously crafted web content may lead to an unexpected process crash

Description: The issue was addressed with improved input validation.

CVE-2026-28917: Vitaly Simonovich

WebKit

Available for: Apple TV HD and Apple TV 4K (all models)

Impact: Processing maliciously crafted web content may lead to an unexpected Safari crash

Description: A use-after-free issue was addressed with improved memory management.

CVE-2026-28947: dr3dd

CVE-2026-28942: Milad Nasr and Nicholas Carlini with Claude, Anthropic

Wi-Fi

Available for: Apple TV HD and Apple TV 4K (all models)

Impact: An attacker in a privileged network position may be able to perform denial-of-service attack using crafted Wi-Fi packets

Description: A use after free issue was addressed with improved memory management.

CVE-2026-28994: Alex Radocea

zlib

Available for: Apple TV HD and Apple TV 4K (all models)

Impact: Visiting a maliciously crafted website may leak sensitive data

Description: An information leakage was addressed with additional validation.

CVE-2026-28920: Brendon Tiszka of Google Project Zero

Additional recognition

App Intents

We would like to acknowledge Mikael Kinnman for their assistance.

Apple Account

We would like to acknowledge Iván Savransky, YingQi Shi (@Mas0nShi) of DBAppSecurity's WeBin lab for their assistance.

AuthKit

We would like to acknowledge Gongyu Ma (@Mezone0) for their assistance.

CoreUI

We would like to acknowledge Mustafa Calap ​ for their assistance.

ICU

We would like to acknowledge an anonymous researcher for their assistance.

Kernel

We would like to acknowledge Ryan Hileman via Xint Code (xint.io), Suresh Sundaram, an anonymous researcher for their assistance.

Libnotify

We would like to acknowledge Ilias Morad (@A2nkF_) for their assistance.

mDNSResponder

We would like to acknowledge Jason Grove for their assistance.

Siri

We would like to acknowledge Yoav Magid for their assistance.

WebKit

We would like to acknowledge Vitaly Simonovich for their assistance.