Cyber Resilience

CVE-2026-28825

High

Published: 25 March 2026

Published
25 March 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
EPSS Score 0.0006 19.0th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-28825 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Apple Macos. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 19.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-11 (User-installed Software) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-28825 is an out-of-bounds write vulnerability stemming from insufficient bounds checking, classified under CWE-787. It affects macOS systems prior to the patched versions of macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, and macOS Tahoe 26.4. The flaw enables a malicious app to modify protected parts of the file system, with a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H).

Exploitation requires a remote attacker to deliver a malicious app that a user must interact with, such as by downloading and executing it. No privileges are needed on the target system, and the attack has low complexity. Upon success, the attacker achieves low integrity impact by altering protected file system areas and high availability impact, potentially causing disruptions like crashes, while confidentiality remains unaffected.

Apple security advisories confirm the vulnerability was addressed through improved bounds checking in macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, and macOS Tahoe 26.4. Mitigation involves updating affected systems to these versions or later. Further details appear in Apple support pages (https://support.apple.com/en-us/126794, https://support.apple.com/en-us/126795, https://support.apple.com/en-us/126796) and a technical blog post analyzing the issue as an Apple kernel bug (https://blog.calif.io/p/mad-bugs-an-apple-kernel-bug-brought).

EU & UK References

Vulnerability details

An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4. An app may be able to modify protected parts of the file system.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

OOB write in kernel enables unauthorized protected FS modification (effective priv esc + stored data manip) and system crashes (endpoint DoS via exploitation); user-run malicious app is the trigger but vuln itself provides the capability.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-24273Same product: Apple Macos
CVE-2025-30464Same product: Apple Macos
CVE-2025-24231Same product: Apple Macos
CVE-2025-24139Same product: Apple Macos
CVE-2024-54509Same product: Apple Macos
CVE-2025-43219Same product: Apple Macos
CVE-2025-43237Same product: Apple Macos
CVE-2024-44303Same product: Apple Macos
CVE-2024-44199Same product: Apple Macos
CVE-2025-24130Same product: Apple Macos

Affected Assets

apple
macos
14.0 — 14.8.5 · 15.0 — 15.7.5 · 26.0 — 26.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely patching of the out-of-bounds write vulnerability fixed by improved bounds checking in macOS Sequoia 15.7.5, Sonoma 14.8.5, and Tahoe 26.4.

prevent

Restricts user installation and execution of unapproved malicious apps required for exploiting this vulnerability via user interaction.

prevent

Enforces input validation and bounds checking to directly mitigate the CWE-787 out-of-bounds write enabling filesystem modification.

References