Skip to main content

macOS CVE-2026-28908

| EUVDEUVD-2026-29233 HIGH
Uncontrolled Resource Consumption (CWE-400)
2026-05-11 apple GHSA-wqj7-458q-4h8g
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 12, 2026 - 14:24 vuln.today
CVSS changed
May 12, 2026 - 14:22 NVD
7.5 (HIGH)
Patch available
May 11, 2026 - 22:03 EUVD
CVE Published
May 11, 2026 - 20:07 nvd
UNKNOWN (no severity yet)
CVE Published
May 11, 2026 - 20:07 nvd
HIGH 7.5

DescriptionCVE.org

A denial of service issue was addressed by removing the vulnerable code. This issue is fixed in macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5. An app may be able to modify protected parts of the file system.

AnalysisAI

Local privilege escalation in macOS allows malicious applications to modify protected filesystem areas despite system integrity protections, enabling persistent compromise of system security. Affects macOS Sequoia (prior to 15.7.7), Sonoma (prior to 14.8.7), and Tahoe (prior to 26.5). Apple fixed the vulnerability by removing the exploitable code component. Despite the CVSS vector indicating a network-based denial-of-service, the description clearly states the actual impact is unauthorized filesystem modification by local applications, suggesting a CVSS scoring inconsistency. EPSS exploitation probability is very low (0.02%, 4th percentile) with no public exploit code or CISA KEV listing identified.

Technical ContextAI

This vulnerability (CWE-400: Uncontrolled Resource Consumption) affects macOS System Integrity Protection (SIP) mechanisms designed to prevent unauthorized modification of protected system directories. The issue appears to involve a code path that incorrectly validated or enforced permissions on protected filesystem areas, allowing applications to bypass Apple's security framework restrictions. Apple's remediation approach-removing the vulnerable code entirely rather than patching it-suggests the affected functionality was either obsolete or its security risk outweighed its utility. The discrepancy between the CVSS vector (AV:N indicating network attack) and the description (local app exploitation) indicates possible scoring error or miscategorization during initial analysis. The CPE identifier confirms impact across all recent macOS major versions including the newest Tahoe (26.x) release.

RemediationAI

Apply vendor-released patches immediately: upgrade macOS Tahoe to version 26.5 or later (https://support.apple.com/en-us/127115), macOS Sequoia to version 15.7.7 or later (https://support.apple.com/en-us/127116), or macOS Sonoma to version 14.8.7 or later (https://support.apple.com/en-us/127117). Apple addressed the vulnerability by removing the exploitable code component entirely, eliminating the attack surface. For environments unable to patch immediately, implement strict application control policies limiting installation to cryptographically signed, verified applications from trusted sources only (Gatekeeper enforcement at maximum level, disable unsigned app execution). Deploy endpoint detection monitoring for unauthorized filesystem modifications in protected directories (/System, /Library, /usr except /usr/local). Note that compensating controls only reduce risk-they cannot eliminate the vulnerability as malicious apps with valid code signatures could still exploit the flaw. EDR monitoring may produce false positives from legitimate system updates and should be tuned carefully.

Share

CVE-2026-28908 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy