Apple macOS Tahoe, Sequoia, Sonoma Patch Batch Fixes Seven CVEs Including Two High-Severity Privilege Escalation Flaws
Apple patched seven CVEs across macOS Tahoe 26, Sequoia 15.7, and Sonoma 14.8 on May 26, including two high-severity bugs that could let a malicious app gain root privileges.
Apple released a coordinated batch of seven security patches on May 26, 2026, addressing vulnerabilities across macOS Tahoe 26, macOS Sequoia 15.7, and macOS Sonoma 14.8. The batch includes two high-severity CVEs (CVSS 7.0 and 7.8) that could allow a malicious application to escalate to root privileges, alongside five medium-severity flaws covering data leakage, file-system tampering, and denial of service. All seven CVEs were published simultaneously in Apple's advisory cycle.
The most severe issue in the batch is CVE-2025-43306 (CVSS 7.8), a logic flaw in macOS that Apple addressed with improved checks. A malicious app may be able to gain root privileges. The fix spans macOS Tahoe 26, Sequoia 15.7, and Sonoma 14.8, making it the broadest-reaching patch in the group. Close behind is CVE-2025-46284 (CVSS 7.0), a race condition resolved with additional validation. That bug is fixed in macOS Sequoia 15.7 and macOS Tahoe 26, and also carries the root-privileges impact.
Three medium-severity CVEs (all CVSS 5.5) share a common impact: an app may be able to access sensitive user data. CVE-2025-46307 is a logic issue fixed in macOS Tahoe 26. CVE-2025-43451 is a permissions issue addressed by removing the vulnerable code, also fixed in Tahoe 26. CVE-2025-43289 is a logic issue with improved validation, and notably is the broadest of the three — its fix covers macOS Tahoe 26, Sequoia 15.7, and Sonoma 14.8.
Two additional medium-severity bugs round out the batch. CVE-2025-43290 (CVSS 5.5) is a permissions issue addressed with additional restrictions that could let an app modify protected parts of the file system; it is fixed across Tahoe, Sequoia 15.7, and Sonoma 14.8. CVE-2025-46280 (CVSS 5.5) is an out-of-bounds read addressed with improved bounds checking that could cause unexpected system termination; its fix is limited to macOS Tahoe 26.
Apple's fixes are distributed across three macOS release lines. macOS Tahoe 26 receives patches for all seven CVEs. macOS Sequoia 15.7 covers four: CVE-2025-46284, CVE-2025-43306, CVE-2025-43290, and CVE-2025-43289. macOS Sonoma 14.8 covers three: CVE-2025-43306, CVE-2025-43290, and CVE-2025-43289. Users on older macOS versions that are not covered by these updates should upgrade to a supported release line. As of disclosure, no active exploitation has been reported for any of the seven CVEs.
While none of the seven CVEs carry a Critical severity rating, the two high-severity privilege-escalation bugs — particularly CVE-2025-43306 which affects all three supported macOS branches — represent a meaningful attack surface for malware already running on a user's machine. The three data-leak CVEs, though medium in severity, collectively widen the privacy risk for macOS users who have not yet updated to Tahoe 26, Sequoia 15.7, or Sonoma 14.8. Apple's simultaneous disclosure across three OS generations signals that these issues were discovered and remediated as part of a coordinated internal review or researcher report, rather than through in-the-wild exploitation. Users should apply the updates as soon as practical to mitigate the risk of local privilege escalation and data exposure.