CVE-2026-28860
Keychain State Modification Vulnerability in Apple iOS and macOS
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: Apple Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apple | ios | 18.7.7 |
| apple | ipados | 18.7.7 |
| apple | macos_sequoia | 15.7.5 |
| apple | macos_sonoma | 14.8.5 |
| apple | macos_tahoe | 26.4 |
| apple | tvos | 26.4 |
| apple | visionos | 26.4 |
| apple | watchos | 26.4 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves a flaw in input validation that could allow a local attacker to modify the state of the Keychain on affected Apple operating systems.
The issue was addressed by improving input validation and fixed in multiple Apple OS versions including iOS, iPadOS, macOS Sequoia, macOS Sonoma, macOS Tahoe, tvOS, visionOS, and watchOS.
How can this vulnerability impact me? :
A local attacker exploiting this vulnerability may be able to modify the state of the Keychain, which could potentially lead to unauthorized access or manipulation of sensitive stored credentials and secrets.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update your Apple devices to the fixed versions of the operating systems as soon as possible.
- Update to iOS 18.7.7 or iOS 26.4 for iPhone devices.
- Update to iPadOS 18.7.7 or iPadOS 26.4 for iPad devices.
- Update to macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, or macOS Tahoe 26.4 for Mac devices.
- Update to tvOS 26.4 for Apple TV devices.
- Update to visionOS 26.4 for visionOS devices.
- Update to watchOS 26.4 for Apple Watch devices.