Skip to main content

macOS EUVDEUVD-2026-29244

| CVE-2026-28924 HIGH
Race Condition (CWE-362)
2026-05-11 apple GHSA-mh8p-q52p-75qg
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

5
Analysis Generated
May 12, 2026 - 14:25 vuln.today
CVSS changed
May 12, 2026 - 14:22 NVD
7.5 (HIGH)
Patch available
May 11, 2026 - 22:03 EUVD
CVE Published
May 11, 2026 - 20:08 nvd
UNKNOWN (no severity yet)
CVE Published
May 11, 2026 - 20:08 nvd
HIGH 7.5

DescriptionCVE.org

A race condition was addressed with improved handling of symbolic links. This issue is fixed in macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5. An app may be able to access Contacts without user consent.

AnalysisAI

Malicious applications on macOS Sequoia, Sonoma, and Tahoe can bypass user consent prompts to access the Contacts database through a race condition in symbolic link handling. Apple has patched this privacy control bypass in macOS Sequoia 15.7.7, Sonoma 14.8.7, and Tahoe 26.5. Despite a network-based CVSS vector scoring 7.5 (High), the actual attack requires local application execution, indicating likely miscategorization in the metric. EPSS exploitation probability is very low (0.02%, 4th percentile) with no active exploitation or public POC identified at time of analysis.

Technical ContextAI

This vulnerability exploits a race condition (CWE-362) in macOS's handling of symbolic links within the privacy framework that governs application access to sensitive user data. macOS implements Transparency, Consent, and Control (TCC) mechanisms requiring explicit user permission before applications can access protected resources like Contacts. The race condition occurs during symbolic link resolution, creating a time-of-check-time-of-use (TOCTOU) window where a malicious application can substitute a symbolic link pointing to the Contacts database between the permission check and actual file access. This allows the application to read contact information without triggering the standard consent dialog. The vulnerability affects macOS's core privacy infrastructure across three major OS branches: Sonoma (14.x), Sequoia (15.x), and the newer Tahoe (26.x) release.

RemediationAI

Immediate action: upgrade to patched versions via Software Update: macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, or macOS Tahoe 26.5. Download patches from System Settings > General > Software Update or through Apple's support pages at support.apple.com/en-us/127115, support.apple.com/en-us/127116, and support.apple.com/en-us/127117. If immediate patching is not feasible, implement these compensating controls: restrict application installation to Mac App Store sources only via System Settings > Privacy & Security > Security (blocks most third-party malware vectors but prevents legitimate non-App-Store software installation); audit TCC database at ~/Library/Application Support/com.apple.TCC/TCC.db for unexpected Contacts permissions granted to unfamiliar applications (requires technical expertise and may miss actively exploiting apps); deploy endpoint detection and response (EDR) solutions capable of monitoring suspicious symbolic link creation patterns in user data directories (may generate false positives from legitimate software). Note these mitigations reduce but do not eliminate risk as sophisticated malware may bypass App Store restrictions through social engineering or exploit signing certificate abuse.

Share

EUVD-2026-29244 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy