| CVE-2026-28991 |
Accelerate |
An app may be able to cause a denial-of-service |
Yes |
No |
No |
| CVE-2026-28988 |
Accounts |
An app may be able to bypass certain Privacy preferences |
Yes |
No |
No |
| CVE-2026-28959 |
APFS |
An app may be able to cause unexpected system termination |
Yes |
Yes |
Yes |
| CVE-2026-28995 |
App Intents |
A malicious app may be able to break out of its sandbox |
Yes |
No |
No |
| CVE-2026-1837 |
AppleJPEG |
Processing a maliciously crafted image may lead to a denial-of-service |
Yes |
No |
No |
| CVE-2026-28956 |
AppleJPEG |
Processing a maliciously crafted media file may lead to unexpected app termination or corrupt process memory |
Yes |
Yes |
Yes |
| CVE-2026-39869 |
Audio |
Processing an audio stream in a maliciously crafted media file may terminate the process |
Yes |
Yes |
Yes |
| CVE-2026-28922 |
CoreMedia |
An app may be able to access private information |
Yes |
Yes |
Yes |
| CVE-2026-28936 |
CoreServices |
Processing a maliciously crafted file may lead to unexpected app termination |
Yes |
No |
Yes |
| CVE-2026-28918 |
CoreSymbolication |
Parsing a maliciously crafted file may lead to an unexpected app termination |
Yes |
No |
No |
| CVE-2026-28878 |
Crash Reporter |
An app may be able to enumerate a user's installed apps |
No |
Yes |
No |
| CVE-2026-28915 |
CUPS |
An app may be able to gain root privileges |
Yes |
Yes |
Yes |
| CVE-2026-43659 |
FileProvider |
An app may be able to access sensitive user data |
Yes |
Yes |
Yes |
| CVE-2026-28923 |
GPU Drivers |
A malicious app may be able to break out of its sandbox |
Yes |
Yes |
Yes |
| CVE-2026-28925 |
HFS |
An app may be able to cause unexpected system termination or write kernel memory |
Yes |
Yes |
Yes |
| CVE-2025-43524 |
Icons |
An app may be able to break out of its sandbox |
No |
Yes |
Yes |
| CVE-2026-43661 |
ImageIO |
Processing a maliciously crafted image may corrupt process memory |
Yes |
No |
No |
| CVE-2026-28977 |
ImageIO |
Processing a maliciously crafted file may lead to unexpected app termination |
Yes |
Yes |
Yes |
| CVE-2026-28990 |
ImageIO |
Processing a maliciously crafted image may corrupt process memory |
Yes |
Yes |
Yes |
| CVE-2026-28978 |
Installer |
A malicious app may be able to break out of its sandbox |
Yes |
Yes |
Yes |
| CVE-2026-28992 |
IOHIDFamily |
An attacker may be able to cause unexpected app termination |
Yes |
Yes |
Yes |
| CVE-2026-28943 |
IOHIDFamily |
An app may be able to determine kernel memory layout |
Yes |
Yes |
Yes |
| CVE-2026-28969 |
IOKit |
An app may be able to cause unexpected system termination |
Yes |
Yes |
Yes |
| CVE-2026-43655 |
IOSurfaceAccelerator |
An app may be able to cause unexpected system termination or read kernel memory |
Yes |
No |
No |
| CVE-2026-43654 |
Kernel |
An app may be able to disclose kernel memory |
Yes |
Yes |
Yes |
| CVE-2026-28908 |
Kernel |
An app may be able to modify protected parts of the file system |
Yes |
Yes |
Yes |
| CVE-2026-28954 |
Kernel |
A maliciously crafted disk image may bypass Gatekeeper checks |
Yes |
Yes |
Yes |
| CVE-2026-28897 |
Kernel |
A local user may be able to cause unexpected system termination or read kernel memory |
Yes |
Yes |
Yes |
| CVE-2026-28952 |
Kernel |
An app may be able to cause unexpected system termination |
Yes |
Yes |
Yes |
| CVE-2026-28951 |
Kernel |
An app may be able to gain root privileges |
Yes |
Yes |
Yes |
| CVE-2026-28972 |
Kernel |
An app may be able to cause unexpected system termination or write kernel memory |
Yes |
Yes |
Yes |
| CVE-2026-28986 |
Kernel |
An app may be able to cause unexpected system termination |
Yes |
Yes |
Yes |
| CVE-2026-28987 |
Kernel |
An app may be able to leak sensitive kernel state |
Yes |
Yes |
Yes |
| CVE-2026-28983 |
LaunchServices |
A remote attacker may be able to cause a denial of service |
Yes |
No |
No |
| CVE-2026-28929 |
Mail Drafts |
Replying to an email could display remote images in Mail in Lockdown Mode |
Yes |
Yes |
Yes |
| CVE-2026-43653 |
mDNSResponder |
An attacker on the local network may be able to cause a denial-of-service |
Yes |
No |
Yes |
| CVE-2026-28985 |
mDNSResponder |
An attacker on the local network may be able to cause a denial-of-service |
Yes |
No |
No |
| CVE-2026-43668 |
mDNSResponder |
A remote attacker may be able to cause unexpected system termination or corrupt kernel memory |
Yes |
Yes |
Yes |
| CVE-2026-43666 |
mDNSResponder |
An attacker on the local network may be able to cause a denial-of-service |
Yes |
Yes |
Yes |
| CVE-2026-28941 |
Model I/O |
Processing a maliciously crafted file may lead to a denial-of-service or potentially disclose memory contents |
Yes |
Yes |
No |
| CVE-2026-28940 |
Model I/O |
Processing a maliciously crafted image may corrupt process memory |
Yes |
Yes |
No |
| CVE-2026-28961 |
Network Extensions |
An attacker with physical access to a locked device may be able to view sensitive user information |
Yes |
No |
No |
| CVE-2026-28906 |
Networking |
An attacker may be able to track users through their IP address |
Yes |
Yes |
Yes |
| CVE-2026-28840 |
PackageKit |
An app may be able to gain root privileges |
No |
Yes |
Yes |
| CVE-2026-43656 |
Quick Look |
Parsing a maliciously crafted file may lead to an unexpected app termination |
Yes |
Yes |
Yes |
| CVE-2026-43652 |
Sandbox |
An app may be able to access protected user data |
Yes |
No |
No |
| CVE-2026-39870 |
SceneKit |
Processing a maliciously crafted image may corrupt process memory |
Yes |
Yes |
Yes |
| CVE-2026-28846 |
SceneKit |
A remote attacker may be able to cause unexpected app termination |
Yes |
Yes |
Yes |
| CVE-2026-28993 |
Shortcuts |
An app may be able to access user-sensitive data |
Yes |
Yes |
Yes |
| CVE-2026-28848 |
SMB |
A remote attacker may be able to cause unexpected system termination |
Yes |
Yes |
No |
| CVE-2026-28930 |
Spotlight |
An app may be able to access protected user data |
Yes |
No |
No |
| CVE-2026-28974 |
Spotlight |
An app may be able to cause a denial-of-service |
Yes |
Yes |
No |
| CVE-2026-28996 |
Storage |
An app may be able to access sensitive user data |
Yes |
Yes |
Yes |
| CVE-2026-28919 |
StorageKit |
An app may be able to gain root privileges |
Yes |
Yes |
Yes |
| CVE-2026-28924 |
Sync Services |
An app may be able to access Contacts without user consent |
Yes |
Yes |
Yes |
| CVE-2026-39871 |
TV App |
An app may be able to observe unprotected user data |
Yes |
Yes |
Yes |
| CVE-2026-28976 |
UserAccountUpdater |
An app may be able to gain root privileges |
Yes |
No |
No |
| CVE-2026-43660 |
WebKit |
Processing maliciously crafted web content may prevent Content Security Policy from being enforced |
Yes |
No |
No |
| CVE-2026-28907 |
WebKit |
Processing maliciously crafted web content may prevent Content Security Policy from being enforced |
Yes |
No |
No |
| CVE-2026-28962 |
WebKit |
Processing maliciously crafted web content may disclose sensitive user information |
Yes |
No |
No |
| CVE-2026-43658 |
WebKit |
Processing maliciously crafted web content may lead to an unexpected Safari crash |
Yes |
No |
No |
| CVE-2026-28905 |
WebKit |
Processing maliciously crafted web content may lead to an unexpected process crash |
Yes |
No |
No |
| CVE-2026-28847 |
WebKit |
Processing maliciously crafted web content may lead to an unexpected process crash |
Yes |
No |
No |
| CVE-2026-28904 |
WebKit |
Processing maliciously crafted web content may lead to an unexpected process crash |
Yes |
No |
No |
| CVE-2026-28955 |
WebKit |
Processing maliciously crafted web content may lead to an unexpected process crash |
Yes |
No |
No |
| CVE-2026-28903 |
WebKit |
Processing maliciously crafted web content may lead to an unexpected process crash |
Yes |
No |
No |
| CVE-2026-28953 |
WebKit |
Processing maliciously crafted web content may lead to an unexpected process crash |
Yes |
No |
No |
| CVE-2026-28902 |
WebKit |
Processing maliciously crafted web content may lead to an unexpected process crash |
Yes |
No |
No |
| CVE-2026-28901 |
WebKit |
Processing maliciously crafted web content may lead to an unexpected process crash |
Yes |
No |
No |
| CVE-2026-28913 |
WebKit |
Processing maliciously crafted web content may lead to an unexpected process crash |
Yes |
No |
No |
| CVE-2026-28883 |
WebKit |
Processing maliciously crafted web content may lead to an unexpected process crash |
Yes |
No |
No |
| CVE-2026-28958 |
WebKit |
An app may be able to access sensitive user data |
Yes |
No |
No |
| CVE-2026-28917 |
WebKit |
Processing maliciously crafted web content may lead to an unexpected process crash |
Yes |
No |
No |
| CVE-2026-28947 |
WebKit |
Processing maliciously crafted web content may lead to an unexpected Safari crash |
Yes |
No |
No |
| CVE-2026-28946 |
WebKit |
Processing maliciously crafted web content may lead to an unexpected Safari crash |
Yes |
No |
No |
| CVE-2026-28942 |
WebKit |
Processing maliciously crafted web content may lead to an unexpected Safari crash |
Yes |
No |
No |
| CVE-2026-28971 |
WebKit |
A malicious iframe may use another website's download settings |
Yes |
No |
No |
| CVE-2026-28944 |
WebRTC |
Processing maliciously crafted web content may lead to an unexpected process crash |
Yes |
No |
No |
| CVE-2026-28819 |
Wi-Fi |
An app may be able to execute arbitrary code with kernel privileges |
Yes |
Yes |
Yes |
| CVE-2026-28994 |
Wi-Fi |
An attacker in a privileged network position may be able to perform denial-of-service attack using crafted Wi-Fi packets |
Yes |
Yes |
Yes |
| CVE-2026-28914 |
zip |
A maliciously crafted ZIP archive may bypass Gatekeeper checks |
Yes |
No |
No |
| CVE-2026-28920 |
zlib |
Visiting a maliciously crafted website may leak sensitive data |
Yes |
Yes |
Yes |
Facts Only
Vulnerabilities discovered in Wi-Fi, zip files, zlib, macOS, iOS, and other systems
Some vulnerabilities are previously unknown (0-day exploits)
A collaboration between cybersecurity researchers and organizations for vulnerability assessment and disclosure
Executive Summary
This analysis focuses on a list of vulnerabilities and exploits related to various software and hardware systems, as reported in the article. The findings highlight security issues that could potentially be leveraged by malicious actors for nefarious purposes.
The report includes a diverse range of vulnerabilities spanning different domains such as Wi-Fi, zip files, zlib, and multiple operating systems like macOS and iOS. Some of these weaknesses were previously unknown, while others have been acknowledged but not yet fixed by the respective developers.
The context suggests that these discoveries stem from a collaboration between researchers and organizations specializing in cybersecurity and vulnerability assessment. The teams are working together to identify, investigate, and disclose these issues in order to facilitate timely patches and mitigations.
Full Take
Examining the presented findings through an ARC perspective reveals several patterns worth noting:
Pattern ARC-0024 Ambiguity: The article provides technical details about various vulnerabilities but lacks context regarding their severity, impact, and exploitability. This ambiguity can create confusion among readers, potentially leading to misinterpretations or exaggerated fears.
Pattern ARC-0056 Drip-Feed Fear: The release of information about these vulnerabilities over time (drip-fed) may contribute to an ongoing sense of insecurity and fear around the ever-present threat of cyberattacks. This pattern can be used to manipulate public opinion, fueling demand for security solutions while keeping readers in a state of anxiety.
Pattern ARC-0043 Motte-and-Bailey: The article discusses both well-known and previously unknown vulnerabilities, creating a strategic retreat (Motte-and-Bailey) in case the less critical or more common vulnerabilities fail to gain traction or cause significant concern.
It is essential for readers to remain vigilant and aware of cybersecurity threats but also approach reports with a critical eye, recognizing patterns that may be used to manipulate perceptions and drive fear-based narratives.
Sentinel — Human
This is a technical data table listing various security vulnerabilities (CVEs) related to various systems or software components. It serves as a reference for security researchers and developers.