Skip to main content

macOS CVE-2026-28840

| EUVDEUVD-2026-29217 HIGH
Improper Privilege Management (CWE-269)
2026-05-11 apple GHSA-h69x-mj2r-cgmj
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 12, 2026 - 16:31 vuln.today
CVSS changed
May 12, 2026 - 14:22 NVD
7.8 (HIGH)
Patch available
May 11, 2026 - 22:03 EUVD
CVE Published
May 11, 2026 - 20:08 nvd
UNKNOWN (no severity yet)
CVE Published
May 11, 2026 - 20:08 nvd
HIGH 7.8

DescriptionCVE.org

A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.4. An app may be able to gain root privileges.

AnalysisAI

Local privilege escalation in macOS allows authenticated users with low-level access to gain root privileges through a permissions enforcement flaw. Affects macOS Tahoe (pre-26.4), Sequoia (pre-15.7.7), and Sonoma (pre-14.8.7). Apple has released patches for all affected versions. Despite CVSS 7.8, EPSS score of 0.01% indicates minimal observed exploitation activity. No public exploit code identified at time of analysis, though the local attack vector and low complexity suggest post-compromise utility rather than initial access vector.

Technical ContextAI

This vulnerability stems from CWE-269 (Improper Privilege Management), a class of flaws where software incorrectly handles authorization checks for privileged operations. macOS implements a multi-layered permissions system including Unix-style permissions, ACLs, and TCC (Transparency Consent and Control) framework. The affected CPE (cpe:2.3:a:apple:macos:*:*:*:*:*:*:*:*) indicates the core operating system permission enforcement mechanism was flawed, allowing applications to bypass privilege boundaries. The fix involved adding 'additional restrictions' per Apple's advisory, suggesting the original permission checks were either incomplete, bypassable through race conditions, or improperly validated user-controlled inputs when escalating privileges. This affects three concurrent macOS major versions: Tahoe 26.x (the newest), Sequoia 15.x, and Sonoma 14.x, indicating the flaw exists in shared permission management code across multiple OS generations.

RemediationAI

Apply vendor-released patches immediately for affected macOS versions: upgrade macOS Tahoe to version 26.4 or later, macOS Sequoia to version 15.7.7 or later, or macOS Sonoma to version 14.8.7 or later via System Settings > General > Software Update or through Apple Remote Desktop for enterprise deployments (advisory links: https://support.apple.com/en-us/127117, https://support.apple.com/en-us/126794, https://support.apple.com/en-us/127116). For systems where immediate patching is not feasible, implement compensating controls: restrict local user account creation and limit sudo privileges through Directory Service controls; deploy EDR solutions monitoring abnormal privilege escalation attempts (audit for unexpected privilege token manipulation or permission changes); enable comprehensive logging of authorization events via unified logging system with 'log show --predicate' filters for privilege changes. Note these mitigations only reduce attack surface and do not eliminate vulnerability - they add friction for attackers already possessing local access but will not prevent exploitation by determined adversaries. Organizations using mobile device management should prioritize patch deployment through automated update policies, as local access prerequisite means exploitation requires prior endpoint compromise.

Share

CVE-2026-28840 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy