Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.4. An app may be able to gain root privileges.
AnalysisAI
Local privilege escalation in macOS allows authenticated users with low-level access to gain root privileges through a permissions enforcement flaw. Affects macOS Tahoe (pre-26.4), Sequoia (pre-15.7.7), and Sonoma (pre-14.8.7). Apple has released patches for all affected versions. Despite CVSS 7.8, EPSS score of 0.01% indicates minimal observed exploitation activity. No public exploit code identified at time of analysis, though the local attack vector and low complexity suggest post-compromise utility rather than initial access vector.
Technical ContextAI
This vulnerability stems from CWE-269 (Improper Privilege Management), a class of flaws where software incorrectly handles authorization checks for privileged operations. macOS implements a multi-layered permissions system including Unix-style permissions, ACLs, and TCC (Transparency Consent and Control) framework. The affected CPE (cpe:2.3:a:apple:macos:*:*:*:*:*:*:*:*) indicates the core operating system permission enforcement mechanism was flawed, allowing applications to bypass privilege boundaries. The fix involved adding 'additional restrictions' per Apple's advisory, suggesting the original permission checks were either incomplete, bypassable through race conditions, or improperly validated user-controlled inputs when escalating privileges. This affects three concurrent macOS major versions: Tahoe 26.x (the newest), Sequoia 15.x, and Sonoma 14.x, indicating the flaw exists in shared permission management code across multiple OS generations.
RemediationAI
Apply vendor-released patches immediately for affected macOS versions: upgrade macOS Tahoe to version 26.4 or later, macOS Sequoia to version 15.7.7 or later, or macOS Sonoma to version 14.8.7 or later via System Settings > General > Software Update or through Apple Remote Desktop for enterprise deployments (advisory links: https://support.apple.com/en-us/127117, https://support.apple.com/en-us/126794, https://support.apple.com/en-us/127116). For systems where immediate patching is not feasible, implement compensating controls: restrict local user account creation and limit sudo privileges through Directory Service controls; deploy EDR solutions monitoring abnormal privilege escalation attempts (audit for unexpected privilege token manipulation or permission changes); enable comprehensive logging of authorization events via unified logging system with 'log show --predicate' filters for privilege changes. Note these mitigations only reduce attack surface and do not eliminate vulnerability - they add friction for attackers already possessing local access but will not prevent exploitation by determined adversaries. Organizations using mobile device management should prioritize patch deployment through automated update policies, as local access prerequisite means exploitation requires prior endpoint compromise.
Same weakness CWE-269 – Improper Privilege Management
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29217
GHSA-h69x-mj2r-cgmj