Apple's May Wi-Fi kernel bug is bad, but it's probably not Broadpwn

CVE-2026-28819 gets kernel code execution on macOS, but Apple's wording points at a local-app trigger, not a rogue access point. Patch on a 72-hour clock, not a panic clock.

CVE-2026-28819 is a kernel-privilege Wi-Fi bug on macOS, and on Apple’s own wording it’s reachable from a local app, not from a rogue access point in range. That distinction sets the deployment posture: compress the normal patch cycle to a 72-hour DDM enforcement deadline, not a panic-deploy by tonight. The headlines reaching for Broadpwn comparisons are reading Apple’s advisory the way they wish it read, not the way it actually does.

Apple’s text is six words long where it counts: “An app may be able to execute arbitrary code with kernel privileges.” That phrasing is Apple’s house style for a local trigger. When the bug is reachable from the air, the advisory reads “an attacker in a privileged network position” or “processing a maliciously crafted Wi-Fi packet.” The contrast is consistent across years of Apple security notes, and it functions as a tell.

On the most defensible reading of Apple’s own language, CVE-2026-28819 is a kernel privilege escalation reachable from app context: a malicious binary outside the App Store, a compromised distribution channel, or a chain link from a browser sandbox escape that wants to break out of WebContent and into the kernel. Still serious. Kernel RCE is kernel RCE. But the operational calculus is “compress the patch cycle,” not “disable Wi-Fi on the executive laptops by tonight.”

What shipped and when

Apple patched the bug across every supported macOS train and the legacy iOS branch on May 11 and 12.

OS	Fixed version	Build	Released
macOS Tahoe 26	26.5	25F71	May 11, 2026
macOS Sequoia 15	15.7.7	24G720	May 12, 2026
macOS Sonoma 14	14.8.7	not confirmed	May 12, 2026
iOS / iPadOS 18	18.7.9	—	May 11, 2026

The one-day stagger between Tahoe and the legacy-train Sequoia and Sonoma backports is the usual Apple pattern: flagship first, security-only updates for the older trains within 24 hours. Ventura got nothing, which is also normal: it has aged out of the three-generation support window.

Two honest gaps to carry into your tracking. The Sonoma 14.8.7 build string was not surfaced in any of the sources I pulled, so if you’re writing a compliance query against Sonoma machines, verify the build against Apple’s HT page rather than trusting an inferred value. And it is plausible but not confirmed that the same fix landed in iOS 26.5, iPadOS 26.5, tvOS 26.5, watchOS 26.5, and visionOS 26.5 (all also released May 11). The Wi-Fi stack is shared; Apple sometimes patches the same bug across trains without cross-listing the CVE on every advisory. If those devices are in scope for you, treat the current-generation update as in-scope until proven otherwise.

The legacy iOS update is the one most operators will under-prioritize. The iOS 18.7.9 and iPadOS 18.7.9 advisory is the relevant patch for devices that stayed on or are stuck on the iOS 18 branch, older iPhones and iPads that didn’t take the iOS 26 jump and current-generation devices that opted out. These are the ones that are typically managed as second-class citizens in MDM and take longer to enforce on. AppleInsider’s coverage flagged Wi-Fi and kernel fixes as the reason to push that one quickly.

What the threat model actually looks like

ZDI called CVE-2026-28819 the most severe item in the May Apple round on impact alone. Neither ZDI nor the CIS advisory reports active exploitation. Apple did not apply its standard “Apple is aware of a report that this issue may have been actively exploited” language. CISA KEV had not added it as of the patch date.

That status has a short half-life. Prior Apple Wi-Fi kernel-privilege bugs have been reverse-engineered from public patch diffs and added to KEV within 30 to 60 days. Plan accordingly: the window where this is a “patch on a normal cadence” item is measured in weeks, not quarters.

The historical lineage is worth a paragraph because it sharpens the distinction. Apple Wi-Fi kernel bugs have a deep bench. Gal Beniamini’s Over The Air series demonstrated a Broadcom BCM4355 chipset OOB write chained from the radio into iOS kernel read/write: chipset compromise first, kernel pivot second, both reachable from the air. Broadpwn was zero-click and purely proximity-triggered. Ian Beer’s iOS zero-click radio proximity work hit AWDL in XNU itself. CVE-2026-28819 sits in that lineage as a class of bug, kernel-layer Wi-Fi code that fails to bounds-check, but on Apple’s wording it does not sit in that lineage as an attack model. The Broadpwn-class bugs are reachable from the air. This one, most likely, is not.

The deployment mechanics

The MDM story has shifted in a way that matters for this specific patch. On macOS Tahoe 26, the legacy ScheduleOSUpdate MDM commands and com.apple.SoftwareUpdate restriction payloads are deprecated. Declarative device management is now the supported enforcement path. Jamf Pro adopted DDM-based update enforcement starting in 11.8; Microsoft Intune configures it through Settings Catalog → DDM → Software Update; Kandji and Addigy both handle the declaration the same way: the Mac autonomously downloads, prepares, and notifies the user, and the OS owns the deadline.

For CVE-2026-28819, a 72-hour enforcement deadline is the right calibration. Not the default seven-day deferral. Not an emergency same-day push. Kernel RCE warrants compression. The local-app reading does not warrant panic.

The hard cases are the ones you already know about:

Unsupervised, ABM/ASM-unenrolled Macs can be notified but not force-restarted. The user can dismiss the countdown forever. In SMB and small-MSP environments these are usually the biggest gap.
BYOD M-series Macs sit in the same bucket. MDM-pushed notifications, no force-restart authority.
Sequoia and Sonoma security-only updates are pure security releases with no feature changes. The historical Mac-admin habit of waiting a week to dodge x.y.0 regressions is reasonable judgment for feature updates and the wrong call here. The change-control justification for waiting is thin.

For the unmanaged-Mac problem, the move that actually works is gating VPN or SaaS tenant access on minimum OS build through conditional access. Patch compliance becomes a precondition for getting work done, which shifts the question from “will the user click update” to “will the user be able to open Salesforce on Monday.”

Detection, honestly

This is the part where I’d rather be straight with you than reassuring. Mac EDR coverage of kernel-space OOB writes is thin in real time. Jamf Protect, CrowdStrike Falcon for macOS, SentinelOne, and Huntress for Mac all depend on the attacker pivoting from kernel context into something observable in userland. The initial write itself is outside the instrumentation plane. A clean kernel panic and reboot may leave nothing more than a panic.ips in /Library/Logs/DiagnosticReports/.

The takeaway is uncomfortable but true: for this class of bug, the patch is the detection strategy. Post-hoc, look at panic.ips files and run log show --predicate 'process == "wifid"' --last 7d if you want to spot-check for anomalous Wi-Fi daemon crashes. Do not pretend the EDR will catch this one on the wire.

What’s still unclear

Carrying the dossier’s uncertainty forward rather than papering over it:

Whether the bug is local-app-triggered (most defensible reading) or has an over-the-air component. A post-disclosure researcher write-up would resolve this. None is public yet. Wang Yu’s 2022 Black Hat work maps the relevant kexts, but which one holds this specific bug doesn’t change how you deploy.
The Sonoma 14.8.7 build string, as noted above.
Whether the current-generation iOS 26 / iPadOS 26 / tvOS / watchOS / visionOS 26.5 releases also fix this CVE.

If any of those resolve in the next two weeks in a way that changes the threat model, the deployment posture should change with them. Right now, the defensible read is “patch on a 72-hour clock through DDM, gate the unmanaged tail with conditional access, and check KEV weekly.”

The reason aggregator headlines keep reaching for Broadpwn comparisons is that “kernel” and “Wi-Fi” in the same sentence sells. Apple’s wording, read carefully, says something narrower and still serious. Calibrate to what the vendor actually wrote, not to what the headline wanted them to write.

The PatchDay Alert digest flags Apple OS updates the morning they ship, with the affected build strings and a one-line urgency call so you can triage before the change board meeting.

Sources

CVE-2026-28819 — NVD — 2026-05-11
About the security content of macOS Tahoe 26.5 — Apple Support — 2026-05-11
About the security content of macOS Sequoia 15.7.7 — Apple Support — 2026-05-12
About the security content of iOS 18.7.9 and iPadOS 18.7.9 — Apple Support — 2026-05-11
Update your older iPhone, iPad, or Mac — AppleInsider — 2026-05-11
The Apple macOS Security Update Review — Zero Day Initiative — 2026-05-12
Multiple Vulnerabilities in Apple Products — CIS Advisory 2026-047 — 2026-05
Over The Air Vol. 2, Pt. 1 — Project Zero (Beniamini) — 2017-09
Broadpwn — Exodus Intelligence (Artenstein) — 2017-07
An iOS zero-click radio proximity exploit odyssey — Project Zero (Beer) — 2020-12
Managed software updates via DDM — Jamf — 2025
Move to DDM for Apple software updates — Microsoft Community Hub — 2025
Declarative Device Management and Managed OS — Kandji Support — current
Overview: System Updates via DDM — Addigy — current
Falcon for macOS — CrowdStrike — current
Dive Into Apple IO80211Family Vol. 2 — Wang Yu, Black Hat USA 2022 — 2022-08