CVE-2026-28891
Published: 25 March 2026
Summary
CVE-2026-28891 is a high-severity Race Condition (CWE-362) vulnerability in Apple Macos. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and SC-50 (Software-enforced Separation and Policy Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the race condition vulnerability by requiring timely identification, reporting, and patching of the specific flaw addressed in macOS updates.
Ensures software-enforced mechanisms like the macOS sandbox robustly implement separation policies to prevent app breakout via race conditions.
Implements a reference monitor to mediate all sandboxed app access attempts, countering race condition bypasses of access enforcement.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Race condition enables direct sandbox escape for local privilege escalation without requiring initial privileges or user interaction.
NVD Description
A race condition was addressed with additional validation. This issue is fixed in macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4. An app may be able to break out of its sandbox.
Deeper analysisAI
CVE-2026-28891 is a race condition vulnerability (CWE-362) that was addressed through additional validation in Apple's macOS operating system. It affects macOS Sequoia prior to version 15.7.5, macOS Sonoma prior to 14.8.5, and macOS Tahoe prior to 26.4. The flaw enables a malicious app to break out of its sandbox, potentially escalating access beyond intended restrictions. The vulnerability carries a CVSS v3.1 base score of 8.1 (High), reflecting local attack vector (AV:L), high attack complexity (AC:H), no privileges required (PR:N), no user interaction (UI:N), changed scope (S:C), and high impacts on confidentiality, integrity, and availability (C:I:A:H).
A local attacker can exploit this race condition to bypass sandboxing mechanisms. No special privileges or user interaction are needed, though the high complexity suggests reliable exploitation requires precise timing and conditions. Successful exploitation grants the app elevated access, enabling high-impact compromise of system confidentiality, integrity, and availability with scope expansion beyond the sandboxed environment.
Apple's security advisories detail the fix via additional validation in the patched versions: macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, and macOS Tahoe 26.4. Security practitioners should prioritize updating affected systems. Relevant advisories are available at https://support.apple.com/en-us/126794, https://support.apple.com/en-us/126795, and https://support.apple.com/en-us/126796.
Details
- CWE(s)