Skip to main content

Apple macOS EUVD-2025-209939

| CVE-2025-46284 HIGH
Race Condition (CWE-362)
2026-05-26 apple
Information Disclosure Apple Race Condition
7.0
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 27, 2026 - 19:40 vuln.today
CVSS changed
May 27, 2026 - 19:37 NVD
7.0 (HIGH)
Patch available
May 26, 2026 - 23:02 EUVD
CVE Published
May 26, 2026 - 21:32 nvd
HIGH 7.0
CVE Published
May 26, 2026 - 21:32 nvd
UNKNOWN (no severity yet)

DescriptionNVD

A race condition was addressed with additional validation. This issue is fixed in macOS Sequoia 15.7, macOS Tahoe 26. An app may be able to gain root privileges.

AnalysisAI

Local privilege escalation in Apple macOS allows a malicious or compromised application to win a race condition (CWE-362) and elevate from a normal user context to root. The flaw affects macOS releases prior to Sequoia 15.7 and Tahoe 26, was reported by Apple itself, and is resolved by additional validation in the patched builds. No public exploit has been identified at time of analysis, and the CVSS 7.0 rating reflects high attack complexity tied to reliably hitting the timing window.

Technical ContextAI

The root cause is a race condition (CWE-362, concurrent execution using a shared resource with improper synchronization) within a privileged macOS component. Because the affected CPE is cpe:2.3:a:apple:macos and the impact is root acquisition, the vulnerable code path is a system service or helper that performs a privileged operation in a window where state can be modified by an attacker-controlled app between a check and a use (TOCTOU-style). Apple's remediation phrasing - 'a race condition was addressed with additional validation' - indicates the fix re-validates the shared state at the point of use to close the timing window. The 'Information Disclosure' tag suggests the same primitive may also expose protected data, consistent with the C:H rating in the CVSS vector.

RemediationAI

Apply the vendor patch: upgrade to macOS Sequoia 15.7 or macOS Tahoe 26, the builds in which Apple states the issue is fixed via additional validation; these are the exact fixed versions cited in Apple's advisories at https://support.apple.com/en-us/125110 and https://support.apple.com/en-us/125111. No vendor workaround is documented, which is typical for an in-binary system-service race fix. As compensating controls until patching is possible, restrict installation and execution of untrusted apps (enforce Gatekeeper/notarization and an app allowlist via MDM), since exploitation requires running attacker-controlled code locally, and limit interactive standard-user and local accounts on sensitive hosts to shrink the population that can launch the racing app. These controls reduce who can attempt the exploit but do not remove the underlying flaw, so patching remains the only complete fix.

More from same product – last 7 days

CVE-2026-44739 HIGH
8.7 May 27

SQL injection in Pimcore's CustomReportsBundle (versions ≤ 12.3.5) lets an authenticated user holding the reports_config
CVE-2026-5817 HIGH
8.2 May 22

Arbitrary code execution in Docker Model Runner's vllm-metal inference backend on macOS allows any container on the Dock
CVE-2026-5843 HIGH
8.2 May 22

Arbitrary code execution in Docker Desktop's Model Runner on macOS allows any container on the Docker network to escape

CVE-2025-43306 HIGH
7.8 May 26

Local privilege escalation in Apple macOS allows a malicious app already running with low privileges to elevate to root

CVE-2026-49237 HIGH
7.8 May 28

Local privilege escalation in Canonical Multipass for macOS before 1.16.3 allows a low-privileged local user to obtain r

Share

EUVD-2025-209939 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy