Apple macOS: Seven CVEs — Privilege Escalation and Data Leak Flaws Patched Across Tahoe, Sequoia, Sonoma
Apple patched seven CVEs across macOS Tahoe, Sequoia 15.7, and Sonoma 14.8 on May 26, including two high-severity race-condition and logic bugs that could let a malicious app gain root privileges.
Key findings
- Two high-severity CVEs (CVE-2025-43306, CVSS 7.8; CVE-2025-46284, CVSS 7.0) allow app-to-root privilege escalation
- Five medium-severity CVEs (all CVSS 5.5) cover data leakage, file-system tampering, and denial of service
- CVE-2025-43306 is the broadest fix, spanning Tahoe 26, Sequoia 15.7, and Sonoma 14.8
- No active exploitation reported as of May 26 disclosure
- macOS Tahoe 26 receives patches for all seven CVEs; Sequoia 15.7 covers four; Sonoma 14.8 covers three
Apple released a coordinated batch of seven security patches on May 26, 2026, addressing vulnerabilities across macOS Tahoe 26, macOS Sequoia 15.7, and macOS Sonoma 14.8. The batch includes two high-severity CVEs (CVSS 7.0 and 7.8) that could allow a malicious application to escalate to root privileges, alongside five medium-severity flaws covering data leakage, file-system tampering, and denial of service. All seven CVEs were published simultaneously in Apple's advisory cycle.
Privilege escalation cluster — two high-severity bugs
The most severe issue in the batch is CVE-2025-43306 (CVSS 7.8), a logic flaw in macOS that Apple addressed with improved checks. A malicious app may be able to gain root privileges. The fix spans macOS Tahoe 26, Sequoia 15.7, and Sonoma 14.8, making it the broadest-reaching patch in the group. Close behind is CVE-2025-46284 (CVSS 7.0), a race condition resolved with additional validation. That bug is fixed in macOS Sequoia 15.7 and macOS Tahoe 26, and also carries the root-privileges impact.
Data-leak and permissions bugs — five medium-severity CVEs
Three medium-severity CVEs (all CVSS 5.5) share a common impact: an app may be able to access sensitive user data. CVE-2025-46307 is a logic issue fixed in macOS Tahoe 26. CVE-2025-43451 is a permissions issue addressed by removing the vulnerable code, also fixed in Tahoe 26. CVE-2025-43289 is a logic issue with improved validation, and notably is the broadest of the three — its fix covers macOS Tahoe 26, Sequoia 15.7, and Sonoma 14.8 Vypr Intelligence.
Two additional medium-severity bugs round out the batch. CVE-2025-43290 (CVSS 5.5) is a permissions issue addressed with additional restrictions that could let an app modify protected parts of the file system; it is fixed across Tahoe, Sequoia 15.7, and Sonoma 14.8. CVE-2025-46280 (CVSS 5.5) is an out-of-bounds read addressed with improved bounds checking that could cause unexpected system termination; its fix is limited to macOS Tahoe 26.
Patch status and affected versions
Apple's fixes are distributed across three macOS release lines. macOS Tahoe 26 receives patches for all seven CVEs. macOS Sequoia 15.7 covers four: CVE-2025-46284, CVE-2025-43306, CVE-2025-43290, and CVE-2025-43289. macOS Sonoma 14.8 covers three: CVE-2025-43306, CVE-2025-43290, and CVE-2025-43289. Users on older macOS versions that are not covered by these updates should upgrade to a supported release line. As of disclosure, no active exploitation has been reported for any of the seven CVEs Vypr Intelligence.
Why this batch matters
While none of the seven CVEs carry a Critical severity rating, the two high-severity privilege-escalation bugs — particularly CVE-2025-43306 which affects all three supported macOS branches — represent a meaningful attack surface for malware already running on a user's machine. The three data-leak CVEs, though medium in severity, collectively widen the privacy risk for macOS users who have not yet updated to Tahoe 26, Sequoia 15.7, or Sonoma 14.8. Apple's simultaneous disclosure across three OS generations signals that these issues were discovered and remediated as part of a coordinated internal review or researcher report, rather than through in-the-wild exploitation.