SB2026032506 - Multiple vulnerabilities in macOS Sequoia
Published: March 25, 2026 Updated: March 25, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 57 secuirty vulnerabilities.
1) Information exposure through log files (CVE-ID: CVE-2026-28862)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to inclusion of sensitive information into a log file in Phone. A local application can access user-sensitive data.
2) Use after free (CVE-ID: CVE-2026-20687)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to a use-after-free error in Kernel. A local application can cause unexpected system termination or write kernel memory.
3) Permissions, privileges, and access controls (CVE-ID: CVE-2026-28829)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to improperly imposed security restrictions in WebDAV. A local application can modify protected parts of the file system.
4) Permissions, privileges, and access controls (CVE-ID: CVE-2026-20607)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to improperly imposed security restrictions in libxpc. A local application can access protected user data.
5) Improper input validation (CVE-ID: CVE-2026-20692)
The vulnerability allows a local user to inject arbitrary content.
The vulnerability exists due to improper input validation in Mail when processing email content. A local user can submit specially crafted input to inject arbitrary content.
6) Improper input validation (CVE-ID: CVE-2026-20651)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to insufficient input validation in Messages. A local application can access sensitive user data.
7) Improper link resolution before file access ('link following') (CVE-ID: CVE-2026-20694)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to insecure symbolic link following in MigrationKit. A local application can access user-sensitive data.
8) Improper privilege management (CVE-ID: CVE-2026-28891)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to improper authorization in NetAuth when handling local application requests. A local user can exploit this to escalate privileges on the system.
Exploitation requires local access and the ability to execute a local application.
9) Improper access control (CVE-ID: CVE-2026-20701)
The vulnerability allows a local user to escalate privileges and execute arbitrary code.
The vulnerability exists due to improper access control in NetAuth when handling authentication requests. A local user can exploit this to escalate privileges and execute arbitrary code.
Exploitation requires local access and user-level privileges.
10) Improper access control (CVE-ID: CVE-2026-28839)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to improper access restrictions in NetAuth. A local application can access sensitive user data.
11) Improper limitation of a pathname to a restricted directory ('path traversal') (CVE-ID: CVE-2026-28827)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to incorrect handling of path names in NetFSFramework. A local application can trick the victim into opening a specially crafted file and break out of its sandbox.
12) Path traversal (CVE-ID: CVE-2026-28816)
The vulnerability allows a local user to execute arbitrary code or escalate privileges.
The vulnerability exists due to improper input validation in the Notes component when opening a specially crafted file. A local user can open a malicious file to trigger the vulnerability and execute arbitrary code or escalate privileges.
Successful exploitation may allow the attacker to execute code in the context of the current user or gain elevated privileges if the Notes application runs with higher privileges.
13) State Issues (CVE-ID: CVE-2026-20693)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to improper access control in PackageKit when handling privileged operations. A local user can exploit this to escalate privileges on the system.
14) State issues (CVE-ID: CVE-2026-28831)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to a state management issue in Printing. A local application can access sensitive user data.
15) Improper access control (CVE-ID: CVE-2026-28867)
The vulnerability allows a local user to execute arbitrary code in kernel space.
The vulnerability exists due to improper access control in the kernel when handling local application requests. A local user can exploit this to execute arbitrary code in kernel space.
Successful exploitation may allow the attacker to gain full control over the system.
16) State Issues (CVE-ID: CVE-2026-28817)
The vulnerability allows a local user to bypass implemented security restrictions.
The vulnerability exists due to improper access control in the Printing component when handling print jobs. A local user can exploit this to bypass implemented security restrictions.
17) Improper limitation of a pathname to a restricted directory ('path traversal') (CVE-ID: CVE-2026-20688)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to incorrect handling of path names in Printing. A local application can break out of its sandbox.
18) Information disclosure (CVE-ID: CVE-2026-28864)
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to improper access controls in the Security component when handling local requests. A local user can exploit this to disclose sensitive information.
Exploitation requires local access and no additional privileges beyond those of a standard user.
19) Use-after-free (CVE-ID: CVE-2026-28835)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to use-after-free in SMB when handling network requests. A remote attacker can send specially crafted SMB packets to cause a denial of service.
20) Out-of-bounds write (CVE-ID: CVE-2026-28825)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to an out-of-bounds write in SMB. A local application can modify protected parts of the file system.
21) Information exposure through log files (CVE-ID: CVE-2026-28818)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to inclusion of sensitive information into a log file in Spotlight. A local application can access sensitive user data.
22) Permissions, privileges, and access controls (CVE-ID: CVE-2026-20697)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to improperly imposed security restrictions in Spotlight. A local application can access sensitive user data.
23) Improper input validation (CVE-ID: CVE-2026-28828)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to insufficient input validation in TCC. A local application can access sensitive user data.
24) Improper input validation (CVE-ID: CVE-2026-28852)
The vulnerability allows a local application to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient input validation in UIFoundation. A local application can cause a denial-of-service.
25) Memory corruption (CVE-ID: CVE-2026-20657)
The vulnerability allows a local application to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in Vision. A local application can trick the victim into opening a specially crafted file and perform an unexpected app termination.
26) Out-of-bounds read (CVE-ID: CVE-2026-20695)
The vulnerability allows a local application to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition. A local application can trigger an out-of-bounds read error and read contents of kernel lmemory.
27) Information exposure through log files (CVE-ID: CVE-2026-28868)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to inclusion of sensitive information into a log file in Kernel. A local application can disclose kernel memory.
28) Man-in-the-Middle (MitM) attack (CVE-ID: CVE-2026-28865)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to an error in the 802.1X protocol implementation when handling authentication requests. A remote attacker on the local network can intercept sensitive information.
29) Improper link resolution before file access ('link following') (CVE-ID: CVE-2026-28866)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to insecure symbolic link following in Clipboard. A local application can access sensitive user data.
30) Improper authorization (CVE-ID: CVE-2026-28877)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to improper authorization checks in the Accounts component. A local application can gain access to sensitive user information.
31) Integer overflow (CVE-ID: CVE-2025-55753)
The vulnerability allows a remote attacker to perform a denial of service attack.
The vulnerability exists due to an integer overflow in mod_md (ACME) in the case of failed ACME certificate renewal. The web server will set the backoff timer becoming 0 after a number of failures (~30 days in default configurations), leading to a denial of service condition.
32) Improper Neutralization of Server-Side Includes (SSI) Within a Web Page (CVE-ID: CVE-2025-58098)
The vulnerability allows a remote attacker to execute arbitrary commands.
The vulnerability exists due to insufficient input validation with Server Side Includes (SSI) enabled and mod_cgid (but not mod_cgi). The web server passes the shell-escaped query string to #exec cmd="..." directives. A remote attacker can send a specially crafted HTTP request to the server and potentially execute arbitrary code.
33) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2025-59775)
The disclosed vulnerability allows a remote attacker to perform SSRF attacks.
The vulnerability exists due to insufficient validation of user-supplied input when AllowEncodedSlashes is "On" and MergeSlashes is "Off". A remote attacker can send a specially crafted HTTP request and force the web server into leaking NTLM hashes.
Note, the vulnerability affects Windows installations only.
34) Code injection (CVE-ID: CVE-2025-65082)
The vulnerability allows a local user to affect web server behavior.
The vulnerability exists due to improper input validation when handling environment variables set via the Apache configuration. A local user can set specially crafted values that supersede variables calculated by the server for CGI programs.
35) Input validation error (CVE-ID: CVE-2025-66200)
The vulnerability allows a local user to bypass implemented security restrictions.
The vulnerability exists due to insufficient validation of user-supplied input when parsing the RequestHeader directive in .htaccess files. A local user can bypass mod_userdir+suexec security measures via AllowOverride FileInfo and run certain CGI scripts under an unexpected userid.
36) Use after free (CVE-ID: CVE-2026-20637)
The vulnerability allows a local application to perform a denial of service (DoS) attack.
The vulnerability exists due to a use-after-free error in AppleKeyStore. A local application can cause unexpected system termination.
37) State issues (CVE-ID: CVE-2026-28824)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to a state management issue in AppleMobileFileIntegrity. A local application can access sensitive user data.
38) Cryptographic issues (CVE-ID: CVE-2026-20699)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to a cryptographic issue in AppleMobileFileIntegrity. A local application can access user-sensitive data.
39) Use after free (CVE-ID: CVE-2026-28879)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a use-after-free error in Audio. A remote attacker can trick the victim into opening a specially crafted file and perform an unexpected process crash.
40) Buffer overflow (CVE-ID: CVE-2026-28822)
The vulnerability allows a remote attacker to perform a denial of service attack.
The vulnerability exists due to a boundary error in the Audio subsystem. A remote attacker can trick the victim into opening a specially crafted media file, trigger memory corruption and perform a denial of service attack.
41) Improper input validation (CVE-ID: CVE-2026-28894)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient input validation in Calling Framework. A remote attacker can trick the victim into opening a specially crafted file and cause a denial-of-service.
42) Improper limitation of a pathname to a restricted directory ('path traversal') (CVE-ID: CVE-2026-20660)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to incorrect handling of path names in CFNetwork. A local user can trick the victim into opening a specially crafted file and write arbitrary files.
43) Integer overflow (CVE-ID: CVE-2026-20639)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to integer overflow in configd. A local user can pass a specially crafted string to the daemon, trigger an integer overflow and execute arbitrary code with elevated privileges.
44) Out-of-bounds read (CVE-ID: CVE-2025-64505)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition within the png_do_quantize function when processing PNG files with malformed palette indices. A remote attacker can pass a specially crafted image file to the application, trigger an out-of-bounds read error and read contents of memory on the system.
45) Memory corruption (CVE-ID: CVE-2026-20690)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in CoreMedia. A remote attacker can trick the victim into opening a specially crafted file and perform a denial of service (DoS) attack.
46) Improper input validation (CVE-ID: CVE-2026-28821)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to insufficient input validation in CoreServices. A local application can gain elevated privileges.
47) Improper access control (CVE-ID: CVE-2026-28838)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to improper access restrictions in CoreServices. A local application can break out of its sandbox.
48) Improper input validation (CVE-ID: CVE-2026-28886)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient input validation in CoreUtils. A local user can cause a denial-of-service.
49) State issues (CVE-ID: CVE-2026-28888)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to a state management issue in CUPS. A local application can gain root privileges.
50) Insufficiently protected credentials (CVE-ID: CVE-2025-14524)
The vulnerability allows an attacker to obtain bearer token,
The vulnerability exists due to an error when handling cross-protocol redirects. When an oauth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host.
51) Link following (CVE-ID: CVE-2026-20633)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to an insecure link following issue in Archive Utility. A local application can create a specially crafted symbolic link to a confidential user's file on the system and read its contents.
52) Improper limitation of a pathname to a restricted directory ('path traversal') (CVE-ID: CVE-2026-28876)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to incorrect handling of path names in DeviceLink. A local application can trick the victim into opening a specially crafted file and access sensitive user data.
53) Improper input validation (CVE-ID: CVE-2026-28892)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to insufficient input validation in Diagnostics. A local application can modify protected parts of the file system.
54) Memory corruption (CVE-ID: CVE-2026-28832)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to a boundary error in File System. A local application can disclose kernel memory.
55) Information exposure through log files (CVE-ID: CVE-2026-20668)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to inclusion of sensitive information into a log file in Focus. A local application can access sensitive user data.
56) State issues (CVE-ID: CVE-2026-28834)
The vulnerability allows a local application to perform a denial of service (DoS) attack.
The vulnerability exists due to a state management issue in GPU Drivers. A local application can cause unexpected system termination.
57) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2026-28880)
The vulnerability allows a local application to enumerate installed apps.
The vulnerability exists due to improperly imposed security restrictions in iCloud. A local application can enumerate user's installed apps.
Remediation
Install update from vendor's website.