Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
5DescriptionCVE.org
A race condition was addressed with improved handling of symbolic links. This issue is fixed in macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5. An app may be able to access Contacts without user consent.
AnalysisAI
Malicious applications on macOS Sequoia, Sonoma, and Tahoe can bypass user consent prompts to access the Contacts database through a race condition in symbolic link handling. Apple has patched this privacy control bypass in macOS Sequoia 15.7.7, Sonoma 14.8.7, and Tahoe 26.5. Despite a network-based CVSS vector scoring 7.5 (High), the actual attack requires local application execution, indicating likely miscategorization in the metric. EPSS exploitation probability is very low (0.02%, 4th percentile) with no active exploitation or public POC identified at time of analysis.
Technical ContextAI
This vulnerability exploits a race condition (CWE-362) in macOS's handling of symbolic links within the privacy framework that governs application access to sensitive user data. macOS implements Transparency, Consent, and Control (TCC) mechanisms requiring explicit user permission before applications can access protected resources like Contacts. The race condition occurs during symbolic link resolution, creating a time-of-check-time-of-use (TOCTOU) window where a malicious application can substitute a symbolic link pointing to the Contacts database between the permission check and actual file access. This allows the application to read contact information without triggering the standard consent dialog. The vulnerability affects macOS's core privacy infrastructure across three major OS branches: Sonoma (14.x), Sequoia (15.x), and the newer Tahoe (26.x) release.
RemediationAI
Immediate action: upgrade to patched versions via Software Update: macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, or macOS Tahoe 26.5. Download patches from System Settings > General > Software Update or through Apple's support pages at support.apple.com/en-us/127115, support.apple.com/en-us/127116, and support.apple.com/en-us/127117. If immediate patching is not feasible, implement these compensating controls: restrict application installation to Mac App Store sources only via System Settings > Privacy & Security > Security (blocks most third-party malware vectors but prevents legitimate non-App-Store software installation); audit TCC database at ~/Library/Application Support/com.apple.TCC/TCC.db for unexpected Contacts permissions granted to unfamiliar applications (requires technical expertise and may miss actively exploiting apps); deploy endpoint detection and response (EDR) solutions capable of monitoring suspicious symbolic link creation patterns in user data directories (may generate false positives from legitimate software). Note these mitigations reduce but do not eliminate risk as sophisticated malware may bypass App Store restrictions through social engineering or exploit signing certificate abuse.
Same weakness CWE-362 – Race Condition
View allSame technique Race Condition
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29244
GHSA-mh8p-q52p-75qg