Executive Summary
Apple has disclosed CVE-2026-28872, a denial-of-service vulnerability affecting iOS and iPadOS across both the iOS 18 and iOS 26 release trains. The flaw is rooted in insufficient input validation that allows a remote attacker to send specially crafted network or protocol data, triggering uncontrolled resource consumption that can render the device unresponsive.
CVSS Score: 7.5 (High)
The vulnerability was addressed with improved input validation and fixed in iOS 18.7.9 / iPadOS 18.7.9 and iOS 26.4 / iPadOS 26.4, published to the NVD on May 11, 2026.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-28872 |
| CVSS Score | 7.5 (High) |
| CWE | CWE-400: Uncontrolled Resource Consumption |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Scope | Unchanged |
| Vulnerable Platforms | iOS 18.x, iPadOS 18.x, iOS 26.x, iPadOS 26.x |
Affected Products
| Vendor | Product | Affected Versions | Fixed Version |
|---|---|---|---|
| Apple | iOS | All versions before 18.7.9 | 18.7.9 |
| Apple | iPadOS | All versions before 18.7.9 | 18.7.9 |
| Apple | iOS 26 | All versions before 26.4 | 26.4 |
| Apple | iPadOS 26 | All versions before 26.4 | 26.4 |
Vulnerability Details
Resource Exhaustion via Malformed Input
The vulnerability exists in a component that processes externally supplied input — likely tied to a network-facing service or protocol parser — that fails to impose adequate limits on resource allocation. When an attacker sends maliciously crafted data, the affected component allocates memory or processing resources without bound until the system is destabilized.
Typical resource exhaustion attack flow:
1. Attacker identifies network-accessible service on target iOS/iPadOS device
2. Attacker crafts malformed packet or protocol message with excessive/recursive data
3. Target device's input handler allocates resources for each malformed input
4. Without proper bounds checking, allocations accumulate unchecked
5. Device memory or CPU becomes exhausted
6. Operating system becomes unresponsive — denial of service achieved
7. Device requires restart to recover (no persistent compromise)No Authentication Required
The CVSS vector specifies Privileges Required: None and User Interaction: None, meaning exploitation does not require the attacker to authenticate to the device or trick the user into opening a file or link. A remote attacker on the same network — or potentially over the internet if the vulnerable component is internet-facing — can trigger the condition.
Impact: Availability
The primary impact is availability — the targeted device becomes unresponsive and must be restarted. There is no known evidence that this vulnerability enables code execution, data access, or persistent compromise. However, repeated DoS attacks against devices can disrupt critical communications and workflows.
Risk Assessment by Deployment
| Context | Risk Level | Notes |
|---|---|---|
| Consumer iPhones/iPads (general) | Medium | Disruptive but self-recovering after restart |
| Enterprise iOS MDM fleet | High | Mass DoS could disrupt critical business workflows |
| Healthcare/clinical devices running iOS | High | Clinical communication disruption has patient safety implications |
| Law enforcement / first responder devices | High | Communication disruption in critical situations |
| Public Wi-Fi environments | Medium–High | Shared network increases attacker proximity |
Recommended Actions
1. Update Immediately
Apply the vendor-supplied patches as soon as possible:
- iOS 18 users → Update to iOS 18.7.9
- iPadOS 18 users → Update to iPadOS 18.7.9
- iOS 26 users → Update to iOS 26.4
- iPadOS 26 users → Update to iPadOS 26.4
# For MDM-managed enterprise iOS fleets — push update via MDM
# In Apple Business Manager:
# Devices → Software Updates → Deploy 18.7.9 / 26.4
# Enforce deadline to ensure compliance within 72 hours2. Prioritize High-Risk Device Categories
Enterprise IT and MDM administrators should:
- Identify all iOS/iPadOS devices running affected versions via MDM inventory
- Flag devices used for critical operations (healthcare, emergency, executive) for immediate priority update
- Monitor MDM compliance dashboards to track patch progress
- Consider temporary VPN enforcement or network access restrictions for unpatched devices
3. Network Monitoring
Until patched, monitor for signs of exploitation:
| Indicator | Description |
|---|---|
| Sudden device reboots across multiple units | Possible mass DoS attempt |
| Unusual inbound traffic to iOS devices on network | Attacker probing for vulnerable service |
| MDM heartbeat loss from multiple devices simultaneously | Coordinated DoS attack |
4. Limit Network Exposure
Ensure iOS/iPadOS devices are not exposing unnecessary services to untrusted networks. Enforce Wi-Fi policies that prevent connections to untrusted or open networks without VPN.
Post-Patch Checklist
- Confirm updated version — verify iOS 18.7.9 / iPadOS 18.7.9 / iOS 26.4 / iPadOS 26.4 installed on all managed devices
- MDM compliance report — generate and retain documentation of update rollout for compliance purposes
- No persistent compromise risk — this vulnerability does not enable code execution; post-patch forensic investigation is not required unless unusual activity preceded the update
- Review related vulnerabilities — check the Apple Security Updates page for any co-disclosed issues in the same release