CVE-2026-28867 is a security vulnerability identified in Apple’s operating systems including iOS, iPadOS, macOS, tvOS, visionOS, and watchOS. The flaw allows a malicious application to leak sensitive kernel state information, which is critical internal data managed by the operating system kernel. Kernel state leakage can reveal memory contents, kernel pointers, or other sensitive data that attackers can leverage to bypass security mechanisms, facilitate privilege escalation, or conduct further attacks on the system. The vulnerability arises from insufficient authentication checks when accessing certain kernel resources, which Apple has addressed by enhancing authentication controls in the affected OS versions. The issue was resolved in updates iOS 18.7.7, iPadOS 18.7.7, iOS 26.4, iPadOS 26.4, macOS Sequoia 15.7.5, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, and watchOS 26.4. No public exploits or active exploitation have been reported, indicating that the vulnerability is not yet weaponized in the wild. However, the potential for sensitive kernel information disclosure poses a significant risk, especially in environments where untrusted or third-party apps are installed. This vulnerability affects a wide range of Apple devices, including mobile phones, tablets, desktops, smart TVs, wearable devices, and emerging visionOS platforms, reflecting the broad ecosystem impact. The lack of a CVSS score requires an expert severity assessment based on the nature of the vulnerability, its impact on confidentiality, and the attack vector. Given that exploitation requires only a malicious app (local code execution) without user interaction or authentication, the vulnerability is relatively easy to exploit once an app is installed. The kernel state leakage could compromise system integrity and confidentiality, making this a high-severity issue. Organizations relying on Apple devices should apply the patches promptly to mitigate risks.

The primary impact of CVE-2026-28867 is the potential leakage of sensitive kernel state information, which can undermine the confidentiality and integrity of affected Apple devices. Attackers exploiting this vulnerability could gain insights into kernel memory layout, secret keys, or other protected data, facilitating further attacks such as privilege escalation or bypassing security mitigations like kernel address space layout randomization (KASLR). This could lead to unauthorized access to sensitive user data, system compromise, or persistence mechanisms that are difficult to detect and remove. For organizations, this vulnerability threatens the security of corporate iPhones, iPads, Macs, and other Apple devices, potentially exposing confidential business information or enabling lateral movement within networks. The broad range of affected platforms increases the attack surface, impacting sectors that rely heavily on Apple ecosystems, including finance, healthcare, government, and technology industries. Although no known exploits are currently active, the availability of a fix and the nature of the vulnerability necessitate urgent patching to prevent future exploitation. Failure to address this vulnerability could result in data breaches, loss of trust, regulatory penalties, and operational disruptions.

To mitigate CVE-2026-28867, organizations and users should immediately apply the security updates released by Apple for all affected platforms: iOS 18.7.7, iPadOS 18.7.7, iOS 26.4, iPadOS 26.4, macOS Sequoia 15.7.5, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, and watchOS 26.4. Beyond patching, organizations should enforce strict app installation policies, limiting installations to trusted sources such as the Apple App Store and employing Mobile Device Management (MDM) solutions to control app permissions and monitor for suspicious behavior. Implementing runtime protections like Apple’s System Integrity Protection (SIP) and ensuring that devices are configured to require strong authentication can reduce the risk of malicious app installation. Security teams should conduct regular audits of installed applications and monitor device logs for unusual kernel or system calls indicative of exploitation attempts. Additionally, educating users about the risks of installing untrusted apps and maintaining up-to-date backups can help mitigate potential damage. For high-security environments, consider deploying endpoint detection and response (EDR) solutions capable of detecting anomalous kernel-level activity. Finally, coordinate with Apple’s security advisories and threat intelligence feeds to stay informed about any emerging exploit developments related to this vulnerability.