Apple Patches Critical Out-of-Bounds Write Vulnerability in macOS USD Library (CVE-2026-28940)
Apple has released a security update to address CVE-2026-28940, a critical out-of-bounds write vulnerability in the macOS USD library that could allow remote code execution via a crafted USD file.
Apple has released a security update to address CVE-2026-28940, a critical vulnerability in the macOS USD library that could allow remote attackers to execute arbitrary code. The flaw, reported by Michael DePlante of TrendAI Zero Day Initiative, was disclosed on May 12, 2026, as part of a coordinated public release.
The vulnerability, tracked as ZDI-26-314, is an out-of-bounds write issue in the USD (Universal Scene Description) library. The flaw stems from improper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker could exploit this vulnerability by convincing a user to open a specially crafted USD file, leading to code execution in the context of the current process.
The vulnerability affects Apple macOS and carries a CVSS score of 7.8, indicating high severity. The attack vector is local, requiring user interaction, but the impact on confidentiality, integrity, and availability is high. The flaw could be exploited through various attack vectors depending on the implementation, such as email attachments or malicious websites.
Apple has issued a security update to correct this vulnerability. Users are advised to apply the update as soon as possible to mitigate the risk. The update is available via Apple's support page at https://support.apple.com/en-ca/127115.
The vulnerability was reported to Apple on February 12, 2026, and the coordinated public release occurred on May 12, 2026. The disclosure timeline highlights a three-month period between reporting and public disclosure, which is standard for coordinated vulnerability disclosure.
This vulnerability is part of a broader trend of critical flaws in file parsing libraries, which are often targeted by attackers due to their widespread use and potential for remote code execution. Users and administrators should ensure that their systems are updated to the latest version of macOS to protect against this and other vulnerabilities.