Cyber Resilience

CVE-2026-28891

High

Published: 25 March 2026

Published
25 March 2026
Modified
25 March 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0014 4.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-28891 is a high-severity Race Condition (CWE-362) vulnerability in Apple Macos. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and SC-50 (Software-enforced Separation and Policy Enforcement).

Deeper analysis

CVE-2026-28891 is a race condition vulnerability (CWE-362) that was addressed through additional validation in Apple's macOS operating system. It affects macOS Sequoia prior to version 15.7.5, macOS Sonoma prior to 14.8.5, and macOS Tahoe prior to 26.4. The flaw enables a malicious app to break out of its sandbox, potentially escalating access beyond intended restrictions. The vulnerability carries a CVSS v3.1 base score of 8.1 (High), reflecting local attack vector (AV:L), high attack complexity (AC:H), no privileges required (PR:N), no user interaction (UI:N), changed scope (S:C), and high impacts on confidentiality, integrity, and availability (C:I:A:H).

A local attacker can exploit this race condition to bypass sandboxing mechanisms. No special privileges or user interaction are needed, though the high complexity suggests reliable exploitation requires precise timing and conditions. Successful exploitation grants the app elevated access, enabling high-impact compromise of system confidentiality, integrity, and availability with scope expansion beyond the sandboxed environment.

Apple's security advisories detail the fix via additional validation in the patched versions: macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, and macOS Tahoe 26.4. Security practitioners should prioritize updating affected systems. Relevant advisories are available at https://support.apple.com/en-us/126794, https://support.apple.com/en-us/126795, and https://support.apple.com/en-us/126796.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A race condition was addressed with additional validation. This issue is fixed in macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4. An app may be able to break out of its sandbox.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Race condition enables direct sandbox escape for local privilege escalation without requiring initial privileges or user interaction.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-28817Same product: Apple Macos
CVE-2025-43275Same product: Apple Macos
CVE-2024-40849Same product: Apple Macos
CVE-2026-28924Same product: Apple Macos
CVE-2025-24195Same product: Apple Macos
CVE-2026-28925Same product: Apple Macos
CVE-2025-43257Same product: Apple Macos
CVE-2025-24228Same product: Apple Macos
CVE-2025-30464Same product: Apple Macos
CVE-2025-30449Same product: Apple Macos

Affected Assets

apple
macos
14.0 — 14.8.5 · 15.0 — 15.7.5 · 26.0 — 26.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the race condition vulnerability by requiring timely identification, reporting, and patching of the specific flaw addressed in macOS updates.

prevent

Ensures software-enforced mechanisms like the macOS sandbox robustly implement separation policies to prevent app breakout via race conditions.

prevent

Implements a reference monitor to mediate all sandboxed app access attempts, countering race condition bypasses of access enforcement.

References