CVE-2026-28825

High

Published: 25 March 2026

Published

25 March 2026

Modified

27 April 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H

EPSS Score 0.0005 16.2th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-28825 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Apple Macos. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 16.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-11 (User-installed Software) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely patching of the out-of-bounds write vulnerability fixed by improved bounds checking in macOS Sequoia 15.7.5, Sonoma 14.8.5, and Tahoe 26.4.

CM-11 User-installed Software good match

prevent

Restricts user installation and execution of unapproved malicious apps required for exploiting this vulnerability via user interaction.

SI-10 Information Input Validation good match

prevent

Enforces input validation and bounds checking to directly mitigate the CWE-787 out-of-bounds write enabling filesystem modification.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

T1565.001 Stored Data Manipulation Impact

Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.

attack.mitre.org →

Why these techniques?

OOB write in kernel enables unauthorized protected FS modification (effective priv esc + stored data manip) and system crashes (endpoint DoS via exploitation); user-run malicious app is the trigger but vuln itself provides the capability.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4. An app may be able to modify protected parts of the file system.

Deeper analysisAI

CVE-2026-28825 is an out-of-bounds write vulnerability stemming from insufficient bounds checking, classified under CWE-787. It affects macOS systems prior to the patched versions of macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, and macOS Tahoe 26.4. The flaw enables a malicious app to modify protected parts of the file system, with a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H).

Exploitation requires a remote attacker to deliver a malicious app that a user must interact with, such as by downloading and executing it. No privileges are needed on the target system, and the attack has low complexity. Upon success, the attacker achieves low integrity impact by altering protected file system areas and high availability impact, potentially causing disruptions like crashes, while confidentiality remains unaffected.

Apple security advisories confirm the vulnerability was addressed through improved bounds checking in macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, and macOS Tahoe 26.4. Mitigation involves updating affected systems to these versions or later. Further details appear in Apple support pages (https://support.apple.com/en-us/126794, https://support.apple.com/en-us/126795, https://support.apple.com/en-us/126796) and a technical blog post analyzing the issue as an Apple kernel bug (https://blog.calif.io/p/mad-bugs-an-apple-kernel-bug-brought).

Details

CWE(s): CWE-787

Affected Products

apple

macos

14.0 — 14.8.5 · 15.0 — 15.7.5 · 26.0 — 26.4

CVEs Like This One

CVE-2025-24273Same product: Apple Macos

CVE-2024-54509Same product: Apple Macos

CVE-2025-30464Same product: Apple Macos

CVE-2025-24139Same product: Apple Macos

CVE-2025-24231Same product: Apple Macos

CVE-2025-43237Same product: Apple Macos

CVE-2025-43219Same product: Apple Macos

CVE-2024-44199Same product: Apple Macos

CVE-2025-24130Same product: Apple Macos

CVE-2025-24170Same product: Apple Macos

References

https://support.apple.com/en-us/126794
Release Notes, Vendor Advisory · product-security@apple.com
https://support.apple.com/en-us/126795
Release Notes, Vendor Advisory · product-security@apple.com
https://support.apple.com/en-us/126796
Release Notes, Vendor Advisory · product-security@apple.com
https://blog.calif.io/p/mad-bugs-an-apple-kernel-bug-brought
af854a3a-2127-422b-91ae-364da2661108
https://blog.calif.io/p/mad-bugs-an-apple-kernel-bug-brought
134c704f-9b21-4f2e-91b3-4a467353bcc0