Cyber Posture

CVE-2026-28894

High

Published: 25 March 2026

Published
25 March 2026
Modified
25 March 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0020 42.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-28894 is a high-severity Improper Input Validation (CWE-20) vulnerability in Apple Macos. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 42.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly mitigates the improper input validation (CWE-20) root cause by enforcing validation of information inputs to block malformed data causing DoS.

SC-5 Denial-of-service Protection good match
prevent

Specifically protects against denial-of-service events like this remote, unauthenticated attack via malformed inputs disrupting availability.

SI-2 Flaw Remediation good match
prevent

Ensures timely identification, reporting, and patching of flaws like this input validation vulnerability, matching Apple's fix in updated OS versions.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

Remote unauthenticated DoS via malformed input and improper validation (CWE-20) on Apple endpoints directly enables T1499.004 Application or System Exploitation to crash or disrupt the device/service.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A denial-of-service issue was addressed with improved input validation. This issue is fixed in iOS 26.4 and iPadOS 26.4, macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4. A remote attacker may be able to cause a denial-of-service.

Deeper analysisAI

CVE-2026-28894 is a denial-of-service vulnerability stemming from improper input validation (CWE-20) in Apple operating systems. It affects versions of iOS and iPadOS prior to 26.4, as well as macOS Sequoia prior to 15.7.5, macOS Sonoma prior to 14.8.5, and macOS Tahoe prior to 26.4. The issue has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity due to its potential for significant availability disruption without requiring user interaction or privileges.

A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity by sending malformed input, leading to a denial-of-service condition that crashes or otherwise disrupts the affected device or service.

Apple security advisories, available at support.apple.com/en-us/126792, 126794, 126795, and 126796, confirm the issue was addressed through improved input validation in the specified patched versions. Security practitioners should prioritize updating affected Apple devices to mitigate remote DoS risks.

Details

CWE(s)
CWE-20

Affected Products

apple
ipados
≤ 26.4
apple
iphone os
≤ 26.4
apple
macos
14.0 — 14.8.5 · 15.0 — 15.7.5 · 26.0 — 26.4

CVEs Like This One

CVE-2025-30471Same product: Apple Ipados
CVE-2025-24177Same product: Apple Ipados
CVE-2025-31281Same product: Apple Ipados
CVE-2024-44227Same product: Apple Ipados
CVE-2026-28874Same product: Apple Ipados
CVE-2026-28875Same product: Apple Ipados
CVE-2026-20652Same product: Apple Ipados
CVE-2025-43300Same product: Apple Ipados
CVE-2026-20606Same product: Apple Ipados
CVE-2025-43347Same product: Apple Ipados

References