Apple macOS vulnerabilities

CVE-2026-28815 [HIGH] CWE-125 CVE-2026-28815: A remote attacker can supply a short X-Wing HPKE encapsulated key and trigger an out-of-bounds read A remote attacker can supply a short X-Wing HPKE encapsulated key and trigger an out-of-bounds read in the C decapsulation path, potentially causing a crash or memory disclosure depending on runtime protections. This issue is fixed in swift-crypto version 4.3.1.

CVE-2025-43257 [HIGH] CWE-59 CVE-2025-43257: This issue was addressed with improved handling of symlinks. This issue is fixed in macOS Sequoia 15 This issue was addressed with improved handling of symlinks. This issue is fixed in macOS Sequoia 15.6. An app may be able to break out of its sandbox.

CVE-2024-40858 [HIGH] CWE-284 CVE-2024-40858: A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.1. An app may be able to access Contacts without user consent.

CVE-2024-44250 [HIGH] CWE-269 CVE-2024-44250: A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.1. An app may be able to execute arbitrary code out of its sandbox or with certain elevated privileges.

CVE-2025-43219 [HIGH] CWE-787 CVE-2025-43219: The issue was addressed with improved memory handling. This issue is fixed in macOS Sequoia 15.6. Pr The issue was addressed with improved memory handling. This issue is fixed in macOS Sequoia 15.6. Processing a maliciously crafted image may corrupt process memory.

CVE-2024-44286 [HIGH] CWE-288 CVE-2024-44286: This issue was addressed through improved state management. This issue is fixed in macOS Sequoia 15. This issue was addressed through improved state management. This issue is fixed in macOS Sequoia 15.1. An attacker with physical access can input keyboard events to apps running on a locked device.

CVE-2024-44303 [HIGH] CWE-284 CVE-2024-44303: The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.1. A malicious The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.1. A malicious application may be able to modify protected parts of the file system.

CVE-2025-43202 [HIGH] CWE-787 CVE-2025-43202: This issue was addressed with improved memory handling. This issue is fixed in iOS 18.6 and iPadOS 1 This issue was addressed with improved memory handling. This issue is fixed in iOS 18.6 and iPadOS 18.6, macOS Sequoia 15.6. Processing a file may lead to memory corruption.

CVE-2024-40849 [HIGH] CWE-362 CVE-2024-40849: A race condition was addressed with additional validation. This issue is fixed in macOS Sequoia 15.1 A race condition was addressed with additional validation. This issue is fixed in macOS Sequoia 15.1. An app may be able to break out of its sandbox.

CVE-2025-43264 [HIGH] CWE-119 CVE-2025-43264: The issue was addressed with improved memory handling. This issue is fixed in macOS Sequoia 15.6. Pr The issue was addressed with improved memory handling. This issue is fixed in macOS Sequoia 15.6. Processing a maliciously crafted image may corrupt process memory.

CVE-2024-44219 [HIGH] CWE-284 CVE-2024-44219: A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.1. A malicious application with root privileges may be able to access private information.

CVE-2025-43238 [MEDIUM] CWE-190 CVE-2025-43238: An integer overflow was addressed with improved input validation. This issue is fixed in macOS Sequo An integer overflow was addressed with improved input validation. This issue is fixed in macOS Sequoia 15.6, macOS Sonoma 14.7.7, macOS Ventura 13.7.7. An app may be able to cause unexpected system termination.

CVE-2025-43210 [MEDIUM] CWE-125 CVE-2025-43210: An out-of-bounds access issue was addressed with improved bounds checking. This issue is fixed in iO An out-of-bounds access issue was addressed with improved bounds checking. This issue is fixed in iOS 18.6 and iPadOS 18.6, iPadOS 17.7.9, macOS Sequoia 15.6, macOS Sonoma 14.7.7, macOS Ventura 13.7.7, tvOS 18.6, visionOS 2.6, watchOS 11.6. Processing a maliciously crafted media file may lead to unexpected app termination or corrupt process memory.

CVE-2025-43236 [LOW] CWE-843 CVE-2025-43236: A type confusion issue was addressed with improved memory handling. This issue is fixed in macOS Seq A type confusion issue was addressed with improved memory handling. This issue is fixed in macOS Sequoia 15.6, macOS Sonoma 14.7.7, macOS Ventura 13.7.7. An attacker may be able to cause unexpected app termination.

CVE-2026-20688 [CRITICAL] CWE-22 CVE-2026-20688: A path handling issue was addressed with improved validation. This issue is fixed in iOS 26.4 and iP A path handling issue was addressed with improved validation. This issue is fixed in iOS 26.4 and iPadOS 26.4, macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4, visionOS 26.4. An app may be able to break out of its sandbox.

CVE-2026-28827 [CRITICAL] CWE-22 CVE-2026-28827: A parsing issue in the handling of directory paths was addressed with improved path validation. This A parsing issue in the handling of directory paths was addressed with improved path validation. This issue is fixed in macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4. An app may be able to break out of its sandbox.

CVE-2026-20631 [HIGH] CVE-2026-20631: A logic issue was addressed with improved checks. This issue is fixed in macOS Tahoe 26.4. A user ma A logic issue was addressed with improved checks. This issue is fixed in macOS Tahoe 26.4. A user may be able to elevate privileges.

CVE-2026-28855 [HIGH] CWE-284 CVE-2026-28855: A permissions issue was addressed with additional restrictions. This issue is fixed in iOS 26.3 and A permissions issue was addressed with additional restrictions. This issue is fixed in iOS 26.3 and iPadOS 26.3, macOS Tahoe 26.3. An app may be able to access protected user data.

CVE-2026-28837 [HIGH] CWE-284 CVE-2026-28837: A logic issue was addressed with improved checks. This issue is fixed in macOS Tahoe 26.4. An app ma A logic issue was addressed with improved checks. This issue is fixed in macOS Tahoe 26.4. An app may be able to access sensitive user data.

CVE-2026-28876 [HIGH] CWE-284 CVE-2026-28876: A parsing issue in the handling of directory paths was addressed with improved path validation. This A parsing issue in the handling of directory paths was addressed with improved path validation. This issue is fixed in iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4, visionOS 26.4. An app may be able to access sensitive user data.