macOS Sequoia 15.4: Seven CVEs Patched, Including Sandbox Escape and Launch Constraint Bypass
Key findings • Seven CVEs disclosed together in macOS Sequoia 15.4 security update • Two high-severity bugs: sandbox escape (CVE-2025-24284, CVSS 8.8) and launch constraint bypass (CVE-2025-3…
Key findings
- Seven CVEs disclosed together in macOS Sequoia 15.4 security update
- Two high-severity bugs: sandbox escape (CVE-2025-24284, CVSS 8.8) and launch constraint bypass (CVE-2025-31272, CVSS 7.8)
- Three symlink-handling flaws (CVE-2025-46293, CVE-2025-43278) could expose protected user data
- One authorization issue (CVE-2025-46308) also affects iOS 18.4 and iPadOS 18.4
- No evidence of in-the-wild exploitation at time of disclosure
- All flaws fixed in macOS Sequoia 15.4, available via Software Update
Apple on June 11 released macOS Sequoia 15.4, a security update that patches seven vulnerabilities disclosed together, including two high-severity flaws that could let an attacker escape the sandbox or bypass launch constraints to run arbitrary code with elevated privileges.
The batch, published as part of Apple's regular security release cycle, covers a range of bug classes — from symlink-handling issues to authorization and path-parsing problems — all of which were addressed in the same macOS Sequoia 15.4 update. The two most severe CVEs in the batch are CVE-2025-24284 (CVSS 8.8, High) and CVE-2025-31272 (CVSS 7.8, High). CVE-2025-24284 is a sandbox-escape vulnerability: Apple says an app may be able to break out of its sandbox, a classic avenue for privilege escalation or data theft. CVE-2025-31272 targets launch constraint protections — the macOS mechanism that restricts how processes can be launched — and could allow an app to execute malicious code with elevated privileges.
Three medium-severity CVEs in the batch involve symlink handling. CVE-2025-46293 and CVE-2025-43278 were both addressed with improved handling of symlinks, and both could let an app access protected user data. Symlink-based attacks are a recurring macOS weakness; they typically work by tricking a privileged process into following a symbolic link that points to a file the attacker should not be able to read or write.
Two additional medium-severity privacy bugs round out the batch. CVE-2025-46308 (CVSS 5.3) is an authorization issue that could let an app leak sensitive user information; Apple fixed it with improved state management. CVE-2025-30459 (CVSS 5.5) was remediated by removing the vulnerable code entirely, preventing an app from accessing sensitive user data. CVE-2025-24268 (CVSS 5.5) is a path-parsing flaw in directory-path handling — fixed with improved path validation — that similarly could expose sensitive user data.
All seven CVEs are fixed in macOS Sequoia 15.4. Apple's advisory does not indicate that any of the flaws are known to have been exploited in the wild at the time of disclosure. Users running macOS Sequoia should update via System Settings > Software Update. The update is also included in the corresponding iOS 18.4 and iPadOS 18.4 releases for the authorization issue (CVE-2025-46308), which affects Apple's mobile platforms as well.
For macOS Sequoia users, this batch is a reminder that sandbox escapes and launch-constraint bypasses remain a priority for Apple's security team. The two high-severity bugs — especially the sandbox escape — are the kind of vulnerabilities that security researchers and threat actors alike watch closely, as they can serve as building blocks for full-system compromise when chained with other flaws.