Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
An authorization issue was addressed with improved state management. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5. An app may be able to gain root privileges.
AnalysisAI
Privilege escalation in Apple operating systems allows local authenticated applications to gain root privileges through an authorization flaw in state management. Affects multiple macOS versions (Sonoma, Sequoia, Tahoe) and iOS/iPadOS versions prior to patched releases. Apple has issued coordinated security updates across all affected platforms (iOS 18.7.9/26.5, iPadOS 18.7.9/26.5, macOS Sonoma 14.8.7, Sequoia 15.7.7, Tahoe 26.5). EPSS score of 0.02% (5th percentile) indicates low probability of widespread exploitation despite high CVSS 7.8, with no public exploit identified at time of analysis and no CISA KEV listing. The local attack vector requiring authenticated privileges substantially reduces immediate risk compared to network-based vulnerabilities.
Technical ContextAI
This vulnerability (CWE-863: Incorrect Authorization) stems from flawed state management in Apple's operating system authorization framework that validates privilege transitions. The affected CPE configurations span multiple OS generations: iOS/iPadOS (mobile platforms) and macOS Sonoma (14.x), Sequoia (15.x), and Tahoe (26.x) series. CWE-863 indicates the authorization logic fails to properly enforce security policies during state changes, allowing an application to manipulate or bypass privilege checks during transitions. Apple's authorization architecture typically uses XPC services, entitlements, and privilege separation - this flaw suggests a race condition, improper validation sequence, or state confusion in the elevation pathway that permits applications to escalate from low-privileged user context to root (UID 0) without proper authorization checks. The cross-platform nature (iOS, iPadOS, macOS) indicates the vulnerable code exists in shared frameworks like Foundation, Security.framework, or system daemons managing privilege elevation.
RemediationAI
Vendor-released patches are available for all affected platforms. Update iOS and iPadOS devices to version 18.7.9 or 26.5 through Settings > General > Software Update. Update macOS Sonoma systems to 14.8.7, Sequoia systems to 15.7.7, or Tahoe systems to 26.5 via System Settings > General > Software Update or using softwareupdate command-line tool. Detailed update instructions available in Apple security advisories at https://support.apple.com/en-us/127110, https://support.apple.com/en-us/127111, https://support.apple.com/en-us/127115, https://support.apple.com/en-us/127116, and https://support.apple.com/en-us/127117. If immediate patching is not feasible, implement compensating controls including application allowlisting to prevent execution of untrusted applications (using Gatekeeper enforcement and restricting installation sources to Mac App Store only), enable System Integrity Protection and remove admin privileges from standard user accounts to raise the initial access barrier. For macOS enterprise environments, deploy Mobile Device Management (MDM) policies restricting application installation and enforcing automatic security updates. Note that compensating controls only reduce attack surface and cannot eliminate the vulnerability - patching remains the only complete remediation. Temporary restrictions on app installation may impact user productivity and require exceptions management.
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29256
GHSA-798q-fw67-pc42