VYPR
Vypr IntelligenceAI-generatedJun 12, 2026· 17 CVEs

Apple Ships macOS Sequoia 15.4 and SwiftNIO 2.100.0: 17 CVEs Patched Including Sandbox Escape and Request Smuggling

Apple patches 17 CVES across macOS Sequoia 15.4, Tahoe 26.1, Monterey 12.4, and the SwiftNIO library, including a sandbox escape, launch constraint bypass, and five high-severity networking flaws.

Key findings

  • macOS Sequoia 15.4 patches 7 CVEs including a sandbox escape (CVE-2025-24284, CVSS 8.8) and launch constraint bypass (CVE-2025-31272, CVSS 7.8)
  • SwiftNIO library gets 5 high-severity fixes: request smuggling, DoS, OOB write, decompression bypass, and CRLF injection
  • All SwiftNIO CVEs fixed in version 2.100.0; affects versions 1.0.0 through 2.99.0
  • CVE-2025-46308 (authorization issue) also impacts iOS 18.4 and iPadOS 18.4
  • Two older CVEs (CVE-2022-48575, CVE-2022-26758) belatedly patched in macOS Monterey 12.4
  • No evidence of in-the-wild exploitation reported for any of the macOS CVEs at disclosure time

Apple Ships Two Major Patch Batches: macOS Sequoia 15.4 Fixes Seven CVEs While SwiftNIO Library Gets 5 High-Severity Fixes

Apple released two distinct security disclosures on June 11–12, 2026, covering a total of 17 CVEs across its operating systems and the open-source SwiftNIO networking library. The larger batch addresses seven vulnerabilities in macOS Sequoia 15.4, including a sandbox escape and a launch constraint bypass, while a separate set of five SwiftNIO CVEs — all rated high severity — tackle request smuggling, denial-of-service, and memory corruption flaws in the server-side Swift framework. Two older CVEs affecting macOS Monterey 12.4 were also belatedly published, alongside fixes for macOS Tahoe 26.1, iOS 18.4, and iPadOS 18.4.

macOS Sequoia 15.4: Sandbox Escape and Launch Constraint Bypass

The most impactful cluster is the seven CVEs patched in macOS Sequoia 15.4, disclosed on June 11. Two high-severity bugs stand out: CVE-2025-24284 (CVSS 8.8) allows an app to break out of its sandbox, while CVE-2025-31272 (CVSS 7.8) lets an app bypass launch constraint protections and execute malicious code with elevated privileges. Three symlink-handling flaws — CVE-2025-46293, CVE-2025-43278, and CVE-2025-24268 — could expose protected or sensitive user data. An authorization issue (CVE-2025-46308, CVSS 5.3) also affects iOS 18.4 and iPadOS 18.4, meaning iPhone and iPad users share part of the risk. A privacy issue (CVE-2025-30459) was fixed by removing the vulnerable code entirely. Vypr Intelligence reports no evidence of in-the-wild exploitation at the time of disclosure. All seven flaws are resolved in macOS Sequoia 15.4, available via Software Update.

macOS Tahoe 26.1 and Monterey 12.4: Older Platforms Also Patched

Two additional CVEs were published on June 11 for macOS Tahoe 26.1: CVE-2025-46315 (CVSS 7.5) addresses a permissions issue that could let an app access protected user data, and CVE-2025-46313 (CVSS 5.5) improves data redaction in logging to prevent sensitive data leaks. Separately, Apple published two older CVEs on June 10 for macOS Monterey 12.4: CVE-2022-48575 (CVSS 3.5) fixes a Login Window bypass, and CVE-2022-26758 (CVSS 7.1) addresses a memory corruption issue that could cause unexpected memory changes between processes. These late disclosures highlight Apple's ongoing effort to backport fixes to legacy OS versions.

SwiftNIO: Five High-Severity Bugs in the Server-Side Swift Networking Library

On June 12, the SwiftNIO project disclosed five CVEs affecting the widely used server-side Swift networking library. All five are rated high severity and span multiple components:

  • HTTP/2-to-HTTP/1 request smuggling (CVE-2026-28898): The HTTP2ToHTTP1ServerCodec did not validate pseudo-header values for control characters (CR, LF, NUL), enabling an attacker to smuggle requests across the protocol boundary.
  • Decompression ratio bypass (CVE-2026-28975): NIOHTTPRequestDecompressor enforced its ratio limit using the attacker-controlled Content-Length header rather than actual compressed bytes received, allowing a client to bypass decompression limits.
  • Unbounded HTTP/1 header DoS (CVE-2026-28980): The HTTPDecoder in NIOHTTP1 imposes no limit on total header block size or number of header fields, enabling a remote peer to exhaust server memory with a single request.
  • Out-of-bounds write via UInt32 overflow (CVE-2026-43671): ByteBuffer methods accepting attacker-controlled index or length values exceeding UInt32.max could trigger an out-of-bounds write. Affects all versions from 1.0.0 to 2.99.0.
  • CRLF injection in outbound HTTP URIs (CVE-2026-28970): Insufficient validation of outbound HTTP/1.1 request and response start-line components enables request smuggling and response splitting attacks.

All SwiftNIO CVEs are fixed in version 2.100.0 and later releases. Users of swift-nio, swift-nio-http2, and swift-nio-extras should upgrade immediately.

Broader Impact and Recommendations

For macOS users, the Sequoia 15.4 update is critical — the sandbox escape (CVE-2025-24284) and launch constraint bypass (CVE-2025-31272) together give an attacker a powerful chain for code execution with elevated privileges. iOS and iPadOS users should also apply the 18.4 update to close CVE-2025-46308. For server-side Swift developers, the SwiftNIO batch is equally urgent: request smuggling, DoS, and memory corruption flaws in a foundational networking library can ripple across any service built on it. The fixes in SwiftNIO 2.100.0 should be treated as a priority upgrade.

AI-written article. Grounded in 17 CVE records listed below.