macOS
CVE-2025-43320
HIGH
Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
The issue was addressed by adding additional logic. This issue is fixed in macOS Sequoia 15.7.3, macOS Tahoe 26. An app may be able to bypass launch constraint protections and execute malicious code with elevated privileges.
AnalysisAI
macOS launch constraint bypass enables authenticated local users to execute code with elevated privileges on macOS Sequoia (up to 15.7.2) and macOS Tahoe (pre-26). The vulnerability requires low-complexity exploitation by a user with existing local access, allowing them to circumvent Apple's launch constraint security framework and achieve full system compromise (high confidentiality, integrity, and availability impact). No public exploit identified at time of analysis, with EPSS indicating only 0.02% probability of exploitation in the wild (5th percentile).
Technical ContextAI
Launch constraints are a macOS security mechanism introduced to restrict which processes can be launched and what privileges they can obtain, forming part of Apple's defense-in-depth architecture. This CWE-269 (Improper Privilege Management) flaw allows applications to bypass these runtime protections through logic flaws in the constraint validation code. The vulnerability affects the core operating system privilege escalation controls across macOS Sequoia 15.x series and the newer macOS Tahoe (version 26) platform. Apple addressed the issue by implementing additional validation logic in the launch constraint enforcement subsystem, suggesting the original implementation had insufficient checks during privilege elevation requests or constraint policy enforcement.
RemediationAI
Vendor-released patches are available through Apple's standard update mechanisms. Users running macOS Sequoia should immediately upgrade to version 15.7.3 or later via System Settings > General > Software Update or through Apple's Software Update service. Users on macOS Tahoe preview/beta builds should upgrade to macOS Tahoe version 26 or later. Apple addressed the vulnerability by implementing additional logic checks in the launch constraint validation subsystem as documented in security advisories HT216018 (https://support.apple.com/en-us/125887) and HT216005 (https://support.apple.com/en-us/125110). No workarounds are available for this privilege escalation vulnerability; patching to the fixed versions is the only effective remediation. Organizations should prioritize updates for systems with multiple user accounts or where untrusted applications may be installed. Standard macOS security practices of limiting application installation sources and maintaining least-privilege user accounts provide defense-in-depth but do not eliminate the vulnerability.
An unauthenticated remote code execution vulnerability exists in Remote for Mac, a macOS remote control utility develope
A use-after-free issue was addressed with improved memory management. Rated high severity (CVSS 8.8), this vulnerability
Apple's kernel across all platforms (iOS, macOS, watchOS, visionOS, tvOS) contains a memory corruption vulnerability (CV
Remote code execution in OpenSSH's sshd server (regression of CVE-2006-5051) allows unauthenticated remote attackers to
The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remot
The issue was addressed with improved checks. Rated high severity (CVSS 7.0). Actively exploited in the wild (cisa kev)
A logic issue was addressed with improved restrictions. Rated high severity (CVSS 7.8), this vulnerability is no authent
In Sudo before 1.9.12p2, the sudoedit (aka -e) feature mishandles extra arguments passed in the user-provided environmen
A race condition was addressed with additional validation. Rated high severity (CVSS 7.0), this vulnerability is no auth
This issue was addressed with improved checks. Rated critical severity (CVSS 10.0), this vulnerability is remotely explo
When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data t
When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by finalizing the
Same weakness CWE-269 – Improper Privilege Management
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today