CVE-2025-43451

Vulnerability

A permissions issue in macOS Tahoe 26 allows an app to bypass Privacy preferences, potentially granting access to sensitive user data. The vulnerability was addressed by removing the vulnerable code and improving symlink validation. The issue affects Mac Studio (2022 and later), iMac (2020 and later), Mac Pro (2019 and later), Mac mini (2020 and later), MacBook Air with Apple silicon (2020 and later), MacBook Pro (16-inch, 2019), MacBook Pro (13-inch, 2020, Four Thunderbolt 3 ports), and MacBook Pro with Apple silicon (2020 and later) running macOS Tahoe 26 [1].

Exploitation

An attacker would need to deliver a malicious app to the target system. User interaction (such as launching the app) is required. Once executed, the app could exploit the permission handling flaw to bypass Privacy preference controls without further authentication [1].

Impact

Successful exploitation allows the malicious app to access sensitive user data that would normally be protected by Privacy preferences. The attacker gains access to information at the user's privilege level, potentially leading to disclosure of personal or confidential data [1].

Mitigation

Apple released macOS Tahoe 26 on September 15, 2025, which fixes this issue. Users should update to macOS Tahoe 26 or later via Software Update or Apple's security update mechanism [1]. There are no known workarounds for unpatched systems.