How is CVE-2026-43724 exploited?

Network reachability (required): The vulnerability is reachable over the network; an attacker must be able to reach the affected service or device across the internet or an internal network. Authentication (not-required): No credentials or account are needed to trigger the vulnerability; an unauthenticated attacker can exploit it directly. Victim interaction (not-required): No user action such as clicking a link or opening a file is required for exploitation to succeed. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other hard-to-control environmental factors.

What is the impact of CVE-2026-43724?

A successful attacker writes arbitrary data to kernel memory, enabling privilege escalation to kernel-level code execution on the affected device. The attacker can cause unexpected system termination, crashing the affected iOS, iPadOS, or macOS host and disrupting all running services. Kernel-level access exposes all data stored or processed on the device, including credentials, session tokens, and application data. Full integrity of the operating system is compromised, allowing the attacker to modify or destroy any persisted data or system state.

Back to search

CRITICALCVE-2026-43724Published 2026-06-29Modified 2026-06-30CNA apple

CVE-2026-43724: The issue was addressed with improved input sanitization

The issue was addressed with improved input sanitization. This issue is fixed in iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. An app may be able to cause unexpected system termination or write kernel memory.

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: 26.5.2
Affected Products: 2

HarborGuard Analysis

Synopsis

This is a critical input sanitization vulnerability affecting Apple iOS, iPadOS, and macOS. It is reachable over the network with no authentication required, meaning any app running on an affected device can trigger the flaw without user interaction. Successful exploitation allows an attacker to write to kernel memory or cause unexpected system termination, enabling privilege escalation or full device compromise. A patched-image rebuild at version 26.5.2 is available on HarborGuard for environments running affected versions.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images that bundle iOS, iPadOS, or macOS components. Any image in a customer registry or CI pipeline carrying a vulnerable version of the affected Apple OS components is flagged automatically.

Available

Triage

HarborGuard scores this CVE at 9.8 CRITICAL using the CVSS v3.1 vector and weights findings against each customer environment's compliance policy to determine urgency and routing. Alerts are directed to the appropriate team inbox within the customer org based on configured ownership rules.

Available

Patch

A patched-image rebuild targeting version 26.5.2 is available on HarborGuard for any environment running an affected version of iOS, iPadOS, or macOS. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The vulnerability is reachable over the network; an attacker must be able to reach the affected service or device across the internet or an internal network.
AuthenticationNot required
No credentials or account are needed to trigger the vulnerability; an unauthenticated attacker can exploit it directly.
Victim interactionNot required
No user action such as clicking a link or opening a file is required for exploitation to succeed.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other hard-to-control environmental factors.

Blast Radius

A successful attacker writes arbitrary data to kernel memory, enabling privilege escalation to kernel-level code execution on the affected device.
The attacker can cause unexpected system termination, crashing the affected iOS, iPadOS, or macOS host and disrupting all running services.
Kernel-level access exposes all data stored or processed on the device, including credentials, session tokens, and application data.
Full integrity of the operating system is compromised, allowing the attacker to modify or destroy any persisted data or system state.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-43724 is active across all customer environments, matching images against the vulnerability within minutes of the June 29 2026 publication date. A patched-image rebuild at Apple OS version 26.5.2 is available for any environment found to be running an affected version of iOS, iPadOS, or macOS. For customers with auto-remediation enabled, HarborGuard triggers the rebuild, executes a regression run against the rebuilt image, and opens a pull request targeting the affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the finding is routed to the designated team inbox with full CVSS context and remediation steps attached. Given the kernel write primitive and the absence of any authentication or interaction requirement, treating this as a top-priority remediation is warranted for any environment exposing affected Apple OS versions.

See how HarborGuard automates this

Fix available

26.5.2

Affected packages

Apple / iOS and iPadOS
< 26.5.2 (from 0)
Apple / macOS
< 26.5.2 (from 0)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available