Apple Patches CoreSymbolication Out-of-Bounds Read Vulnerability in macOS
Apple has released a security update for macOS to address CVE-2026-28918, an out-of-bounds read vulnerability in the CoreSymbolication framework that could allow remote attackers to disclose sensitive information.
Apple has issued a security update to address a vulnerability in the CoreSymbolication framework of macOS, identified as CVE-2026-28918. The flaw, disclosed by the Zero Day Initiative as ZDI-26-311, is an out-of-bounds read vulnerability that could allow remote attackers to disclose sensitive information from affected systems.
The vulnerability exists within the CoreSymbolication framework, which is used for symbolication of crash logs and debugging. The issue stems from improper validation of user-supplied data, which can result in a read past the end of an allocated buffer. This out-of-bounds read can leak sensitive memory contents to an attacker.
Exploitation of this vulnerability requires user interaction with the CoreSymbolication framework, though attack vectors may vary depending on the implementation. An attacker could leverage this information disclosure in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. The vulnerability carries a CVSS score of 3.3, with a vector string of AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N, indicating low severity but requiring user interaction.
Apple has issued an update to correct this vulnerability, with details available on their security support page at https://support.apple.com/en-ca/127115. The vulnerability was reported to Apple on March 5, 2026, and the coordinated public release of the advisory occurred on May 12, 2026. The discoverer of the vulnerability chose to remain anonymous.
While the CVSS score is relatively low, the vulnerability's potential to be chained with other exploits makes it noteworthy for security researchers and enterprise defenders. Out-of-bounds read vulnerabilities in system frameworks can serve as stepping stones for more severe attacks, particularly when combined with memory corruption bugs that enable arbitrary code execution.
This advisory is part of Apple's ongoing efforts to address security issues in its operating system. Users are advised to apply the latest security updates to protect their systems against potential exploitation. Organizations should prioritize patching macOS systems, especially those used in sensitive environments where information disclosure could have significant consequences.