CVE-2025-46307

Vulnerability

A logic issue in macOS Tahoe 26 allows an app to bypass Privacy preferences due to improper symlink validation. Affected versions include macOS Tahoe v26 and earlier, with the fix applied in macOS Tahoe 26 release. The issue is present in Apple's operating system for Mac Studio (2022 and later), iMac (2020 and later), Mac Pro (2019 and later), Mac mini (2020 and later), MacBook Air with Apple silicon (2020 and later), MacBook Pro (16-inch, 2019), MacBook Pro (13-inch, 2020, Four Thunderbolt 3 ports), and MacBook Pro with Apple silicon (2020 and later). [1]

Exploitation

An attacker would need to distribute a malicious app to the user, which when executed could exploit the logic issue. The app would need to be able to create symlinks in certain contexts, but the exact prerequisites for exploitation are not detailed in the available references. The attack likely requires no special network position or authentication beyond the ability to run an app on the target system. [1]

Impact

Successful exploitation allows an app to bypass Privacy preferences and access sensitive user data that would otherwise be protected. This could include personal information such as contacts, photos, location, or other data controlled by Privacy settings. The impact is unauthorized information disclosure without the user's consent. [1]

Mitigation

The vulnerability is fixed in macOS Tahoe 26, released on September 15, 2025. Users should update their systems to this version or later via Software Update. No workarounds are disclosed. The update is available for the specified Mac models. [1]