Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
A parsing issue in the handling of directory paths was addressed with improved path validation. This issue is fixed in macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5. An app may be able to gain root privileges.
AnalysisAI
Local privilege escalation in Apple macOS (Sequoia, Sonoma, and Tahoe branches) allows a malicious application to gain root privileges by exploiting a path validation flaw in directory path handling. The issue, tracked as CVE-2026-28915 and reported by Apple itself, has no public exploit identified at time of analysis and a very low EPSS score (0.02%), but the total technical impact (root) makes it a meaningful endpoint hardening priority.
Technical ContextAI
The vulnerability is a CWE-22 path traversal weakness in a macOS component that parses directory paths. Per the CPE (cpe:2.3:a:apple:macos:*) and Apple's advisories, the flaw spans multiple supported macOS trains and was remediated by tightening path validation logic. CWE-22 issues typically arise when user- or app-supplied path segments (e.g., '..', symlinks, or unexpected separators) are not normalized before being used for privileged file operations, allowing a process to access or write to locations outside the intended directory and, in this case, escalate to root.
RemediationAI
Apply the vendor-released patches: upgrade to macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, or macOS Tahoe 26.5 as appropriate for each endpoint, using Apple's advisories at https://support.apple.com/en-us/127115, https://support.apple.com/en-us/127116, and https://support.apple.com/en-us/127117. Because exploitation requires the user to run a malicious app, compensating controls while patches roll out include enforcing Gatekeeper and notarization (do not allow apps from unidentified developers), restricting software installation to MDM-approved sources via an allowlist, and using endpoint controls such as TCC and System Integrity Protection (do not disable SIP, which would remove a key mitigation against root-level abuse); these controls reduce the chance that an unsigned exploit binary gets executed but do not address the underlying parsing flaw.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29237
GHSA-3p5g-f8f7-7m9h