Skip to main content

macOS CVE-2025-46313

| EUVDEUVD-2025-210112 MEDIUM
Insertion of Sensitive Information into Log File (CWE-532)
2026-06-11 apple GHSA-36xw-wj35-w3q4
5.5
CVSS 3.1 · Vendor: apple
Share

Severity by source

Vendor (apple) PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
vuln.today AI
5.5 MEDIUM

Local vector confirmed by logging context; PR:N because app requires no elevated privileges; UI:R for the user action that triggers data logging; C:H for potential exposure of sensitive user data.

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
4.0 AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (apple).

CVSS VectorVendor: apple

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

5
Analysis Generated
Jun 12, 2026 - 22:25 vuln.today
CVSS changed
Jun 12, 2026 - 22:22 NVD
5.5 (MEDIUM)
Patch available
Jun 11, 2026 - 20:01 EUVD
CVE Published
Jun 11, 2026 - 18:47 cve.org
MEDIUM 5.5
CVE Published
Jun 11, 2026 - 18:47 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

A logging issue was addressed with improved data redaction. This issue is fixed in macOS Tahoe 26.1. An app may be able to access sensitive user data.

AnalysisAI

macOS logs sensitive user data without adequate redaction, allowing a local application to read that data from system logs without requiring elevated privileges. Affecting all macOS versions prior to Tahoe 26.1, the flaw (CWE-532) stems from insufficient data sanitization in the operating system's logging subsystem. An app running in the user context can exploit this to access confidential information that should be protected, with no public exploit identified at time of analysis and an EPSS probability of 0.02%.

Technical ContextAI

CWE-532 (Insertion of Sensitive Information into Log File) describes a class of flaw where an application or OS component writes data to logs that should be treated as sensitive - credentials, tokens, personal information, or private user content - without redacting or masking it. The affected product per CPE is cpe:2.3:a:apple:macos:*:*:*:*:*:*:*:*, covering Apple macOS broadly. The fix, described as 'improved data redaction,' confirms the root cause: the logging pipeline lacked proper sanitization rules for certain data categories. Because log files on macOS may be accessible to sandboxed or unprivileged apps under specific entitlements or log API access, a malicious application could query system logs to retrieve data it otherwise should not have access to. This is a confidentiality-only issue (I:N, A:N in the CVSS vector), with no integrity or availability impact.

RemediationAI

The vendor-released patch is macOS Tahoe 26.1, which addresses this issue with improved log data redaction. Users and administrators should upgrade to macOS Tahoe 26.1 or later as the primary remediation. The Apple security advisory at https://support.apple.com/en-us/125634 documents this fix. No confirmed workaround is available for unpatched systems, but as a compensating control, administrators can restrict third-party application access to system log APIs via macOS privacy controls and MDM policies to reduce the attack surface. Additionally, auditing which applications have been granted log access entitlements can help identify potentially exploiting apps until patching is feasible.

Share

CVE-2025-46313 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy