A logic issue was addressed with improved state management. This issue is fixed in iOS 18.7 and iPadOS 18.7, iOS 26 and iPadOS 26, macOS Sequoia 15.7, macOS Sonoma 14.8, macOS Tahoe 26, tvOS 26, visionOS 26, watchOS 26. A UDP server socket bound to a local interface may become bound to all interfaces.
The vulnerability results from a logical error (CWE-670 — Always-Incorrect Control Flow Implementation) in UDP network socket state handling. When binding a UDP server socket to a specific local network interface, the state management error causes the socket to actually be bound to all available interfaces. As a result, network traffic directed to all device interfaces — including external or public ones — is accepted by the socket, which was supposed to handle only local communication.
An attacker with network access to the device can gain unauthorized access to UDP services that should be isolated locally, potentially leading to disclosure of sensitive data, system integrity violation, or disruption of its availability.
Systems should be updated to the following versions: iOS 18.7 and iPadOS 18.7, iOS 26 and iPadOS 26, macOS Sequoia 15.7, macOS Sonoma 14.8, macOS Tahoe 26, tvOS 26, visionOS 26, watchOS 26. Patches are available through Apple's system update mechanism and in the vendor references provided above.
iOS and iPadOS versions prior to 18.7, macOS Sequoia prior to 15.7, macOS Sonoma prior to 14.8, as well as versions preceding: iOS 26, iPadOS 26, macOS Tahoe 26, tvOS 26, visionOS 26, watchOS 26
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HApple iPadOS
OSApple< 18.7Apple iOS
OSApple< 18.7Apple macOS
OSApple14.0 – 14.8 (bez)15.0 – 15.7 (bez)Apple tvOS
OSApple< 26.0Apple Visionos
OSApple< 26.0Apple watchOS
OSApple< 26.0
Related vulnerabilities
Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty
Apple iOS/iPadOS/macOS — out-of-bounds write przy przetwarzaniu obrazu
Apple — memory corruption (RCE) w przetwarzaniu strumieni audio
Apple: Obejście Pointer Authentication w iOS, macOS i innych platformach
Apple WebKit: out-of-bounds write umożliwiający ucieczkę z sandbox przeglądarki