Cyber Resilience

CVE-2026-28894

High

Published: 25 March 2026

Published
25 March 2026
Modified
25 March 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0022 44.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-28894 is a high-severity Improper Input Validation (CWE-20) vulnerability in Apple Macos. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 44.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-28894 is a denial-of-service vulnerability stemming from improper input validation (CWE-20) in Apple operating systems. It affects versions of iOS and iPadOS prior to 26.4, as well as macOS Sequoia prior to 15.7.5, macOS Sonoma prior to 14.8.5, and macOS Tahoe prior to 26.4. The issue has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity due to its potential for significant availability disruption without requiring user interaction or privileges.

A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity by sending malformed input, leading to a denial-of-service condition that crashes or otherwise disrupts the affected device or service.

Apple security advisories, available at support.apple.com/en-us/126792, 126794, 126795, and 126796, confirm the issue was addressed through improved input validation in the specified patched versions. Security practitioners should prioritize updating affected Apple devices to mitigate remote DoS risks.

EU & UK References

Vulnerability details

A denial-of-service issue was addressed with improved input validation. This issue is fixed in iOS 26.4 and iPadOS 26.4, macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4. A remote attacker may be able to cause a denial-of-service.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Remote unauthenticated DoS via malformed input and improper validation (CWE-20) on Apple endpoints directly enables T1499.004 Application or System Exploitation to crash or disrupt the device/service.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-30471Same product: Apple Ipados
CVE-2026-28952Same product: Apple Ipados
CVE-2026-43656Same product: Apple Ipados
CVE-2025-24177Same product: Apple Ipados
CVE-2025-31281Same product: Apple Ipados
CVE-2026-28944Same product: Apple Ipados
CVE-2024-44227Same product: Apple Ipados
CVE-2026-28875Same product: Apple Ipados
CVE-2026-28874Same product: Apple Ipados
CVE-2026-28872Same product: Apple Ipados

Affected Assets

apple
ipados
≤ 26.4
apple
iphone os
≤ 26.4
apple
macos
14.0 — 14.8.5 · 15.0 — 15.7.5 · 26.0 — 26.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the improper input validation (CWE-20) root cause by enforcing validation of information inputs to block malformed data causing DoS.

prevent

Specifically protects against denial-of-service events like this remote, unauthenticated attack via malformed inputs disrupting availability.

prevent

Ensures timely identification, reporting, and patching of flaws like this input validation vulnerability, matching Apple's fix in updated OS versions.

References