Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
A consistency issue was addressed with improved state handling. This issue is fixed in macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5. An app may be able to gain root privileges.
AnalysisAI
Local privilege escalation in macOS Sequoia, Sonoma, and Tahoe allows applications to gain root privileges through a state handling flaw in the operating system. Apple patched this consistency issue in macOS Sequoia 15.7.7, Sonoma 14.8.7, and Tahoe 26.5. Despite the high CVSS score (7.8), EPSS indicates only 0.02% exploitation probability (4th percentile), no public exploit code identified at time of analysis, and no CISA KEV listing, suggesting this is not yet widely exploited but represents a significant risk in multi-user or untrusted application environments.
Technical ContextAI
This vulnerability stems from CWE-269 (Improper Privilege Management), where the macOS kernel or system framework fails to properly maintain state consistency during privilege transitions. State handling flaws often occur in race conditions, time-of-check-time-of-use (TOCTOU) scenarios, or improper validation of credential objects during process elevation. The CPE identifier confirms this affects Apple's macOS operating system across three major release branches: Sonoma (14.x), Sequoia (15.x), and the newly released Tahoe (26.x). The consistency issue likely involves improper synchronization of privilege-related data structures, allowing a malicious application to manipulate system state to bypass authorization checks and escalate from user-level to root privileges.
RemediationAI
Update to vendor-released patches: macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, or macOS Tahoe 26.5 via System Settings > General > Software Update. Apple security bulletins are available at https://support.apple.com/en-us/127115 (Tahoe), https://support.apple.com/en-us/127116 (Sequoia), and https://support.apple.com/en-us/127117 (Sonoma). If immediate patching is not feasible, implement application allowlisting to restrict execution to only trusted, signed applications from identified developers, enforced through MDM policies or Gatekeeper configurations. This compensating control reduces attack surface by preventing unknown applications from running, though it may impact user productivity in development or testing environments. Additionally, enable Full Disk Access restrictions and review System Integrity Protection (SIP) status to ensure layered protections remain active, though these do not directly mitigate the vulnerability.
Same weakness CWE-269 – Improper Privilege Management
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29240
GHSA-8g97-7mpw-mjmw