Apple Patches Out-of-Bounds Read Information Disclosure Flaw in macOS USD Library
Apple has released a security update to address CVE-2026-28941, an out-of-bounds read vulnerability in the macOS USD library that could allow remote attackers to leak sensitive memory.
Apple has issued a security update to address CVE-2026-28941, an out-of-bounds read information disclosure vulnerability in the macOS USD library. The flaw, disclosed by the Zero Day Initiative as ZDI-26-315, was reported by Michael DePlante of TrendAI Zero Day Initiative. With a CVSS score of 3.3, the vulnerability is considered low severity but still poses a risk to user privacy.
The vulnerability exists within the USD (Universal Scene Description) library, a framework used for 3D graphics and scene description. The issue stems from a lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. This out-of-bounds read can leak sensitive memory contents to an attacker. Exploitation requires user interaction, such as opening a malicious USD file, and attack vectors may vary depending on the implementation.
An attacker could leverage this vulnerability in conjunction with other flaws to execute arbitrary code in the context of the current process. While the CVSS score is relatively low due to the need for user interaction and the limited impact on confidentiality, the potential for information disclosure remains a concern. The vulnerability affects macOS systems and could be exploited remotely if a user is tricked into interacting with a malicious file.
Apple has addressed the vulnerability in a security update, with details available on Apple's support page. Users are strongly advised to apply the latest macOS updates to protect against potential exploitation. The disclosure timeline indicates that the vulnerability was reported to Apple on February 19, 2026, and the coordinated public release of the advisory occurred on May 12, 2026.
This vulnerability is part of a broader pattern of memory safety issues in software libraries. Out-of-bounds reads are a common class of vulnerabilities that can lead to information disclosure or, when combined with other bugs, code execution. Apple has been increasingly proactive in patching such flaws, but the reliance on memory-safe languages and rigorous testing.
The discovery of this vulnerability by the Zero Day Initiative underscores the importance of coordinated vulnerability disclosure programs in identifying and mitigating security risks. Users should ensure their systems are up to date to defend against potential attacks. The advisory also highlights the need for continued vigilance in software security, particularly in libraries that process untrusted data.