Severity by source
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
A logging issue was addressed with improved data redaction. This issue is fixed in macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5. A malicious app may be able to break out of its sandbox.
AnalysisAI
Sandbox escape in macOS logging subsystem allows malicious applications with low privileges to break containment and access system resources beyond sandbox boundaries. The vulnerability stems from improper data redaction in logging mechanisms (CWE-532), affecting macOS Tahoe 26.x, Sequoia 15.x, and Sonoma 14.x prior to their May 2026 updates. Apple has released patches for all affected versions. EPSS score of 0.02% (4th percentile) indicates minimal widespread exploitation likelihood, with no confirmed active exploitation or public POC at time of analysis. CVSS 8.8 HIGH reflects the scope change (S:C) allowing escape from sandboxed context to system-level access with complete confidentiality, integrity, and availability impact.
Technical ContextAI
The vulnerability resides in macOS's unified logging system, which handles system-wide event recording and diagnostic data. CWE-532 (Insertion of Sensitive Information into Log File) indicates that the logging subsystem failed to properly redact sensitive data before writing to log files or streams. In macOS, applications run within App Sandbox - a mandatory access control technology that restricts app capabilities to their declared entitlements. The logging flaw creates an unintended information disclosure channel or privilege escalation vector, allowing sandboxed processes to leverage improperly redacted log data to infer system state, access credentials, or manipulate logging mechanisms to escape containment. The CVSS scope change (S:C) confirms the vulnerability crosses security boundaries from the sandboxed application context to the broader system security context. This affects the core operating system across all modern macOS branches: Sonoma (14.x), Sequoia (15.x), and the newer Tahoe (26.x) release.
RemediationAI
Apply Apple security updates immediately: upgrade macOS Tahoe to version 26.5 or later (https://support.apple.com/en-us/127117), macOS Sequoia to version 15.7.7 or later (https://support.apple.com/en-us/127116), or macOS Sonoma to version 14.8.7 or later (https://support.apple.com/en-us/127115). Updates are available through System Settings > General > Software Update or via Apple Software Update mechanisms for managed deployments. No workarounds are documented by Apple. Compensating controls until patching include restricting installation of third-party applications to trusted sources only through Gatekeeper enforcement, enabling Full Disk Access restrictions in System Settings > Privacy & Security to limit application permissions, and monitoring system logs for unusual application behavior attempting to access logging subsystems (Console.app or log stream commands). Note that restricting application installation may impact productivity in development or creative workflows requiring diverse toolsets, and log monitoring generates significant operational overhead without automated correlation. These mitigations do not prevent exploitation by already-installed malicious applications and should be considered temporary risk reduction measures only.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29243
GHSA-mvr2-p57p-mxm8