Skip to main content

macOS CVE-2025-46282

MEDIUM
Improper Access Control (CWE-284)
2025-12-17 product-security@apple.com
Information Disclosure Apple macOS Safari
5.5
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Apr 02, 2026 - 19:37 vuln.today
CVE Published
Dec 17, 2025 - 21:16 nvd
MEDIUM 5.5

DescriptionNVD

The issue was addressed with additional permissions checks. This issue is fixed in Safari 26.2, macOS Tahoe 26.2. An app may be able to access sensitive user data.

AnalysisAI

Safari and macOS allow local authenticated applications to access sensitive user data through improper permission enforcement. The vulnerability affects Safari versions prior to 26.2 and macOS versions prior to Tahoe 26.2, exploitable by apps running with user-level privileges that can bypass authorization checks to read protected user information. Apple has released patched versions with additional permission validation; EPSS data indicates minimal real-world exploitation likelihood despite the authenticated local attack vector.

Technical ContextAI

This vulnerability stems from inadequate permission checks in Safari and macOS (CWE-284: Improper Access Control), a classic authorization bypass flaw where the operating system or application fails to properly validate whether a process has the required privileges before granting access to sensitive resources. The issue affects the Safari browser engine and macOS kernel/framework layers responsible for enforcing data access policies. An authenticated local process (running with user-level permissions, PR:L per CVSS vector) can circumvent these checks to read confidential user data. The fix involved implementing additional permission validation layers, likely in sandbox policies, capability-based security checks, or file/data access control lists that Apple strengthened in Safari 26.2 and macOS Tahoe 26.2.

RemediationAI

Vendor-released patch: Update Safari to version 26.2 or later and macOS to Tahoe 26.2 or later. Both updates are available through Apple's standard software update mechanisms (System Settings > General > Software Update on macOS). Users should prioritize this patch if running untrusted local applications or shared-user systems. Workarounds are limited due to the local attack vector; the primary mitigation is enforcing strong local access controls and disabling execution of unvetted applications until patching is complete. See https://support.apple.com/en-us/125886 and https://support.apple.com/en-us/125892 for comprehensive patch availability and deployment details.

More from same product – last 7 days

CVE-2026-44739 HIGH
8.7 May 27

SQL injection in Pimcore's CustomReportsBundle (versions ≤ 12.3.5) lets an authenticated user holding the reports_config
CVE-2026-5817 HIGH
8.2 May 22

Arbitrary code execution in Docker Model Runner's vllm-metal inference backend on macOS allows any container on the Dock
CVE-2026-5843 HIGH
8.2 May 22

Arbitrary code execution in Docker Desktop's Model Runner on macOS allows any container on the Docker network to escape

CVE-2025-43306 HIGH
7.8 May 26

Local privilege escalation in Apple macOS allows a malicious app already running with low privileges to elevate to root

CVE-2026-49237 HIGH
7.8 May 28

Local privilege escalation in Canonical Multipass for macOS before 1.16.3 allows a low-privileged local user to obtain r

Share

CVE-2025-46282 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy