Apple CVEs & Vulnerabilities

1.444 CVEs affecting Apple products, tracked from the National Vulnerability Database, with CVSS/EPSS scores and exploitation status.

1.444 CVEs→ All vendors

Most Affected Products

macos 1.352iphone os 272ipados 203visionos 103watchos 80tvos 75safari 46xcode 2
CVE-2026-8544HIGH

Use after free in Media in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

14 May 2026
8.8
CVSS
CVE-2026-8543MEDIUM

Out of bounds read in FileSystem in Google Chrome on Mac prior to 148.0.7778.168 allowed a remote attacker who convinced a user to engage in specific UI gestures to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)

14 May 2026
5.3
CVSS
CVE-2026-8541MEDIUM

Out of bounds read in UI in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)

14 May 2026
5.3
CVSS
CVE-2026-8536LOW

Insufficient validation of untrusted input in ReadingMode in Google Chrome on Mac prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to bypass site Isolation via a crafted HTML page. (Chromium security severity: High)

14 May 2026
3.1
CVSS
CVE-2026-8529HIGH

Heap buffer overflow in Codecs in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted video file. (Chromium security severity: High)

14 May 2026
8.8
CVSS
CVE-2026-8528MEDIUM

Insufficient validation of untrusted input in SiteIsolation in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to bypass Site Isolation via a crafted HTML page. (Chromium security severity: High)

14 May 2026
4.3
CVSS
CVE-2026-8527HIGH

Insufficient validation of untrusted input in Downloads in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)

14 May 2026
8.8
CVSS
CVE-2026-8526HIGH

Out of bounds write in WebRTC in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

14 May 2026
8.8
CVSS
CVE-2026-8525HIGH

Heap buffer overflow in ANGLE in Google Chrome on Mac prior to 148.0.7778.168 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

14 May 2026
8.3
CVSS
CVE-2026-8524HIGH

Out of bounds write in WebAudio in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

14 May 2026
8.8
CVSS
CVE-2026-8523HIGH

Use after free in Mojo in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

14 May 2026
8.3
CVSS
CVE-2026-8522HIGH

Use after free in Downloads in Google Chrome on Mac prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)

14 May 2026
8.8
CVSS
CVE-2026-8521HIGH

Use after free in Tab Groups in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code via malicious network traffic. (Chromium security severity: Critical)

14 May 2026
7.5
CVSS
CVE-2026-8520HIGH

Race in Payments in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)

14 May 2026
8.3
CVSS
CVE-2026-8518HIGH

Use after free in Blink in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Critical)

14 May 2026
8.8
CVSS
CVE-2026-8517HIGH

Object lifecycle issue in WebShare in Google Chrome on Mac prior to 148.0.7778.168 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)

14 May 2026
8.8
CVSS
CVE-2026-8516MEDIUM

Insufficient validation of untrusted input in DataTransfer in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who convinced a user to engage in specific UI gestures to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Critical)

14 May 2026
5.3
CVSS
CVE-2026-8515HIGH

Use after free in HID in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)

14 May 2026
8.3
CVSS
CVE-2026-8514HIGH

Use after free in Aura in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)

14 May 2026
8.3
CVSS
CVE-2026-8512HIGH

Use after free in FileSystem in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)

14 May 2026
8.3
CVSS
CVE-2026-8511CRITICAL

Use after free in UI in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)

14 May 2026
9.6
CVSS
CVE-2026-8509HIGH

Heap buffer overflow in WebML in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Critical)

14 May 2026
8.8
CVSS
CVE-2026-34690HIGH

After Effects versions 26.0, 25.6.4 and earlier are affected by a Stack-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

12 May 2026
7.8
CVSS
CVE-2026-42899HIGH

Loop with unreachable exit condition ('infinite loop') in ASP.NET Core allows an unauthorized attacker to deny service over a network.

12 May 2026
7.5
CVSS
CVE-2026-34687HIGH

Illustrator versions 29.8.6, 30.3 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

12 May 2026
7.8
CVSS
CVE-2026-34663MEDIUM

Illustrator versions 29.8.6, 30.3 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to disclose sensitive information. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

12 May 2026
5.5
CVSS
CVE-2026-34662MEDIUM

Illustrator versions 29.8.6, 30.3 and earlier are affected by a NULL Pointer Dereference vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

12 May 2026
5.5
CVSS
CVE-2026-34661HIGH

Illustrator versions 29.8.6, 30.3 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

12 May 2026
7.8
CVSS
CVE-2026-34638HIGH

Premiere Pro versions 26.0.2, 25.6.4 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

12 May 2026
7.8
CVSS
CVE-2026-34637HIGH

Premiere Pro versions 26.0.2, 25.6.4 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

12 May 2026
7.8
CVSS
CVE-2026-34636HIGH

Premiere Pro versions 26.0.2, 25.6.4 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

12 May 2026
7.8
CVSS
CVE-2025-46311HIGH

An inconsistent user interface issue was addressed with improved state management. This issue is fixed in iOS 18.7.3 and iPadOS 18.7.3, iOS 26.2 and iPadOS 26.2. An app may be able to access sensitive user data.

12 May 2026
7.5
CVSS
CVE-2025-43524HIGH

An access issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.2. An app may be able to break out of its sandbox.

12 May 2026
8.8
CVSS
CVE-2026-43668HIGH

A use after free issue was addressed with improved memory management. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. A remote attacker may be able to cause unexpected system termination or corrupt kernel memory.

12 May 2026
7.5
CVSS
CVE-2026-43666MEDIUM

An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. An attacker on the local network may be able to cause a denial-of-service.

12 May 2026
6.2
CVSS
CVE-2026-43661HIGH

A buffer overflow issue was addressed with improved memory handling. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, watchOS 26.5. Processing a maliciously crafted image may corrupt process memory.

12 May 2026
7.5
CVSS
CVE-2026-43660HIGH

A validation issue was addressed with improved logic. This issue is fixed in Safari 26.5, iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may prevent Content Security Policy from being enforced.

12 May 2026
7.5
CVSS
CVE-2026-43659MEDIUM

A race condition was addressed with additional validation. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, visionOS 26.5. An app may be able to access sensitive user data.

12 May 2026
4.7
CVSS
CVE-2026-43658HIGH

The issue was addressed with improved memory handling. This issue is fixed in Safari 26.5, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may lead to an unexpected Safari crash.

12 May 2026
7.5
CVSS
CVE-2026-43656HIGH

An out-of-bounds write issue was addressed with improved input validation. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5. Parsing a maliciously crafted file may lead to an unexpected app termination.

12 May 2026
7.3
CVSS
CVE-2026-43655HIGH

An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, watchOS 26.5. An app may be able to cause unexpected system termination or read kernel memory.

12 May 2026
7.3
CVSS
CVE-2026-43654HIGH

The issue was addressed with improved memory handling. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. An app may be able to disclose kernel memory.

12 May 2026
7.5
CVSS
CVE-2026-43653MEDIUM

The issue was addressed with improved memory handling. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5. An attacker on the local network may be able to cause a denial-of-service.

12 May 2026
6.2
CVSS
CVE-2026-43652HIGH

A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Tahoe 26.5. An app may be able to access protected user data.

12 May 2026
7.5
CVSS
CVE-2026-39871HIGH

A path handling issue was addressed with improved logic. This issue is fixed in macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5. An app may be able to observe unprotected user data.

12 May 2026
7.5
CVSS
CVE-2026-39870HIGH

The issue was addressed with improved memory handling. This issue is fixed in macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5. Processing a maliciously crafted image may corrupt process memory.

12 May 2026
7.5
CVSS
CVE-2026-39869MEDIUM

The issue was addressed with improved memory handling. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing an audio stream in a maliciously crafted media file may terminate the process.

12 May 2026
4.3
CVSS
CVE-2026-28996MEDIUM

A race condition was addressed with additional validation. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. An app may be able to access sensitive user data.

12 May 2026
5.5
CVSS
← PrevPage 17 / 31Next →