CVE-2026-28858

CRITICAL

iOS and iPadOS < 26.4 - Remote Denial of Service and Memory Corruption via Buffer Overflow

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-28858. PoCs published by kaleth4.

AI-analyzed exploit summary The repository provides a detailed technical analysis of CVE-2026-28858, a buffer overflow vulnerability in Apple iOS/iPadOS, including a conceptual exploit example, patch analysis, and mitigation strategies. It does not contain a functional exploit but offers in-depth research on the vulnerability.

Description

A buffer overflow was addressed with improved bounds checking. This issue is fixed in iOS 26.4 and iPadOS 26.4. A remote user may be able to cause unexpected system termination or corrupt kernel memory.

Exploits (1)

nomisec WRITEUP
by kaleth4 · poc
https://github.com/kaleth4/CVE-2026-28858

The repository provides a detailed technical analysis of CVE-2026-28858, a buffer overflow vulnerability in Apple iOS/iPadOS, including a conceptual exploit example, patch analysis, and mitigation strategies. It does not contain a functional exploit but offers in-depth research on the vulnerability.

Classification
Writeup 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Theoretical
Target: Apple iOS/iPadOS (versions prior to 26.4)
No auth needed
Prerequisites: Network access to target device · Knowledge of memory layout and bypass techniques for ASLR/PAC
devstral-2 · analyzed Apr 09, 2026 Full analysis →

References (1)

Core 1

Scores

CVSS v3 9.8
EPSS 0.0015
EPSS Percentile 36.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

CWE
CWE-120
Status published
Products (3)
Apple/iOS and iPadOS < 26.4
apple/ipados < 26.4
apple/iphone_os < 26.4
Published Mar 25, 2026
Tracked Since Mar 25, 2026