Apple Patches Three Privacy-Leak CVEs Across macOS Tahoe, Sequoia, and Sonoma

Apple released a coordinated batch of three security patches on May 26, 2026, addressing vulnerabilities in macOS that could allow an application to access sensitive user data. The three CVEs — CVE-2025-46307, CVE-2025-43451, and CVE-2025-43289 — all carry a CVSSv3 score of 5.5 (Medium) and were disclosed simultaneously in Apple's advisory cycle.

Two of the three flaws are logic issues. CVE-2025-46307 was resolved with improved restrictions, while CVE-2025-43289 was fixed through improved validation. The third vulnerability, CVE-2025-43451, stems from a permissions issue that Apple addressed by removing the vulnerable code entirely. All three share the same impact description: an app may be able to access sensitive user data.

The patch scope differs across the three CVEs. CVE-2025-46307 and CVE-2025-43451 are fixed exclusively in macOS Tahoe 26, Apple's latest major OS release. CVE-2025-43289 is the broadest of the batch, with fixes spanning macOS Tahoe 26, macOS Sequoia 15.7, and macOS Sonoma 14.8, meaning users on older supported releases also receive coverage for that particular flaw.

Apple has not reported active exploitation of any of these three CVEs in the wild as of the disclosure date. The company's advisories do not name a specific researcher or reporting party for these findings.

For users and administrators, the takeaway is straightforward: update to macOS Tahoe 26, Sequoia 15.7, or Sonoma 14.8 as appropriate. Those on Tahoe 26 receive the full set of fixes; users still on Sequoia or Sonoma should prioritize the update to 15.7 or 14.8 respectively to close CVE-2025-43289. While none of the three CVEs carry a Critical severity, the consistent "sensitive user data" impact theme across the batch underscores the importance of timely patching for privacy-focused macOS deployments.