SB2026051205 - Multiple vulnerabilities in Apple macOS Tahoe
Published: May 12, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 79 vulnerabilities.
1) Out-of-bounds write (CVE-ID: CVE-2026-43656)
The vulnerability allows a local application to perform a denial of service (DoS) attack.
The vulnerability exists due to an out-of-bounds write in Quick Look. A local application can trick the victim into opening a specially crafted file and perform an unexpected app termination.
2) State issues (CVE-ID: CVE-2026-28919)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to a state management issue in StorageKit. A local application can gain root privileges.
3) Memory corruption (CVE-ID: CVE-2026-43658)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in WebKit. A remote attacker can trick the victim into opening a specially crafted website and perform an unexpected Safari crash.
4) Improper access control (CVE-ID: CVE-2026-28962)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to improper access restrictions in WebKit when rendering content. A remote attacker can trick the victim into visiting a specially crafted website and gain access to sensitive information.
5) Protection Mechanism Failure (CVE-ID: CVE-2026-28907)
The vulnerability allows a remote attacker to prevent CSP enforcement.
The vulnerability exists due to insufficient implementation of security measures in WebKit. A remote attacker can trick the victim into visiting a specially crafted website and prevent Content Security Policy from being enforced.
6) Protection Mechanism Failure (CVE-ID: CVE-2026-43660)
The vulnerability allows a remote attacker to prevent CSP enforcement.
The vulnerability exists due to insufficient implementation of security measures in WebKit. A remote attacker can trick the victim into visiting a specially crafted website and prevent Content Security Policy from being enforced.
7) Improper access control (CVE-ID: CVE-2026-28976)
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to improper access control in UserAccountUpdater when processing requests from a local application. A local user can invoke the vulnerable component from a local application to escalate privileges.
8) Path traversal (CVE-ID: CVE-2026-39871)
The vulnerability allows a local user to access files and directories outside the intended path restrictions.
The vulnerability exists due to path traversal in TV App when handling input from a local application. A local user can supply crafted input to access files and directories outside the intended path restrictions.
9) Improper input validation (CVE-ID: CVE-2026-28924)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to insufficient input validation in Sync Services. A local application can access Contacts without user consent.
10) Improper access control (CVE-ID: CVE-2026-28996)
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to improper access control in Storage when handling local application access. A local user can access sensitive information to disclose sensitive information.
11) Memory corruption (CVE-ID: CVE-2026-28847)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in WebKit. A remote attacker can trick the victim into opening a specially crafted website and perform an unexpected process crash.
12) Improper access control (CVE-ID: CVE-2026-28974)
The vulnerability allows a local application to perform a denial of service (DoS) attack.
The vulnerability exists due to improper access restrictions in Spotlight. A local application can cause a denial-of-service.
13) Permissions, privileges, and access controls (CVE-ID: CVE-2026-28930)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to improperly imposed security restrictions in Spotlight. A local application can access protected user data.
14) Memory corruption (CVE-ID: CVE-2026-28848)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in SMB. A remote attacker can trick the victim into opening a specially crafted file and cause unexpected system termination.
15) Improper access control (CVE-ID: CVE-2026-28993)
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to improper access control in shortcuts when handling local application access. A local user can access the vulnerable component to disclose sensitive information.
16) Memory corruption (CVE-ID: CVE-2026-28846)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in SceneKit. A remote attacker can trick the victim into opening a specially crafted file and cause unexpected app termination.
17) Memory corruption (CVE-ID: CVE-2026-39870)
The vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due to a boundary error in SceneKit. A remote attacker can trick the victim into opening a specially crafted file and escalate privileges on the system.
18) Permissions, privileges, and access controls (CVE-ID: CVE-2026-43652)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to improperly imposed security restrictions in Sandbox. A local application can access protected user data.
19) Memory corruption (CVE-ID: CVE-2026-28905)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in WebKit. A remote attacker can trick the victim into opening a specially crafted website and perform an unexpected process crash.
20) Memory corruption (CVE-ID: CVE-2026-28904)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in WebKit. A remote attacker can trick the victim into opening a specially crafted website and perform an unexpected process crash.
21) State Issues (CVE-ID: CVE-2026-28906)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to a state issue in Networking. A remote attacker can track users through their IP address.
22) Use after free (CVE-ID: CVE-2026-28947)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a use-after-free error in WebKit. A remote attacker can trick the victim into opening a specially crafted website and perform an unexpected Safari crash.
23) Improper access control (CVE-ID: CVE-2026-28914)
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper access control in zip when processing archive contents. A remote attacker can supply a specially crafted archive to disclose sensitive information.
24) Use-after-free (CVE-ID: CVE-2026-28994)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to use-after-free in Wi-Fi when handling wireless network traffic. A remote attacker can send specially crafted wireless traffic to cause a denial of service.
25) Out-of-bounds write (CVE-ID: CVE-2026-28819)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to an out-of-bounds write in Wi-Fi. A local application can execute arbitrary code with kernel privileges.
26) Memory corruption (CVE-ID: CVE-2026-28944)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in WebRTC. A remote attacker can trick the victim into opening a specially crafted file and perform an unexpected process crash.
27) Protection Mechanism Failure (CVE-ID: CVE-2026-28971)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to insufficient implementation of security measures. A malicious iframe may use another website’s download settings, which can lead to browser's UI spoofing.
28) Use after free (CVE-ID: CVE-2026-28942)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a use-after-free error in WebKit. A remote attacker can trick the victim into opening a specially crafted website and perform an unexpected Safari crash.
29) Use after free (CVE-ID: CVE-2026-28946)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a use-after-free error in WebKit. A remote attacker can trick the victim into opening a specially crafted website and perform an unexpected Safari crash.
30) Improper input validation (CVE-ID: CVE-2026-28917)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient input validation in WebKit. A remote attacker can trick the victim into opening a specially crafted website and perform an unexpected process crash.
31) Memory corruption (CVE-ID: CVE-2026-28955)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in WebKit. A remote attacker can trick the victim into opening a specially crafted website and perform an unexpected process crash.
32) Exposure of sensitive information to an unauthorized actor (CVE-ID: CVE-2026-28958)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to excessive data output in WebKit. A local application can access sensitive user data.
33) Use after free (CVE-ID: CVE-2026-28883)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a use-after-free error in WebKit. A remote attacker can trick the victim into opening a specially crafted website and perform an unexpected process crash.
34) Memory corruption (CVE-ID: CVE-2026-28913)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in WebKit. A remote attacker can trick the victim into opening a specially crafted website and perform an unexpected process crash.
35) Memory corruption (CVE-ID: CVE-2026-28901)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in WebKit. A remote attacker can trick the victim into opening a specially crafted website and perform an unexpected process crash.
36) Memory corruption (CVE-ID: CVE-2026-28902)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in WebKit. A remote attacker can trick the victim into opening a specially crafted website and perform an unexpected process crash.
37) Memory corruption (CVE-ID: CVE-2026-28953)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in WebKit. A remote attacker can trick the victim into opening a specially crafted website and perform an unexpected process crash.
38) Memory corruption (CVE-ID: CVE-2026-28903)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in WebKit. A remote attacker can trick the victim into opening a specially crafted website and perform an unexpected process crash.
39) Memory corruption (CVE-ID: CVE-2026-28991)
The vulnerability allows a local application to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in Accelerate. A local application can cause a denial-of-service.
40) Improper access control (CVE-ID: CVE-2026-28961)
The vulnerability allows an attacker with physical access to the system to gain access to sensitive information.
The vulnerability exists due to improper access restrictions in Network Extensions. An attacker with physical access to the system can view sensitive user information.
41) Memory corruption (CVE-ID: CVE-2026-28918)
The vulnerability allows a local application to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in CoreSymbolication. A local application can trick the victim into opening a specially crafted file and perform an unexpected app termination.
42) Memory corruption (CVE-ID: CVE-2026-28990)
The vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due to a boundary error in ImageIO. A remote attacker can trick the victim into opening a specially crafted file and escalate privileges on the system.
43) Memory corruption (CVE-ID: CVE-2026-28977)
The vulnerability allows a local application to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in ImageIO. A local application can trick the victim into opening a specially crafted file and perform unexpected app termination.
44) Memory corruption (CVE-ID: CVE-2026-43661)
The vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due to a boundary error in ImageIO. A remote attacker can trick the victim into opening a specially crafted file and escalate privileges on the system.
45) Memory corruption (CVE-ID: CVE-2026-28925)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to a boundary error in HFS. A local application can cause unexpected system termination or write kernel memory.
46) Information exposure through log files (CVE-ID: CVE-2026-28923)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to inclusion of sensitive information into a log file in GPU Drivers. A local application can break out of its sandbox.
47) Improper access control (CVE-ID: CVE-2026-43659)
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to improper access control in FileProvider when handling file provider operations. A local user can access sensitive information to disclose sensitive information.
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to incorrect handling of path names in CUPS. A local application can trick the victim into opening a specially crafted file and gain root privileges.
49) Improper access control (CVE-ID: CVE-2026-28936)
The vulnerability allows a local application to perform a denial of service (DoS) attack.
The vulnerability exists due to improper access restrictions in CoreServices. A local application can trick the victim into opening a specially crafted file and perform unexpected app termination.
50) Improper input validation (CVE-ID: CVE-2026-28992)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in IOHIDFamily when processing user-supplied input. A local user can send specially crafted input to cause a denial of service.
51) State issues (CVE-ID: CVE-2026-28922)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to a state management issue in CoreMedia. A local application can access private information.
52) Memory corruption (CVE-ID: CVE-2026-39869)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in Audio. A remote attacker can trick the victim into opening a specially crafted file and perform a denial of service (DoS) attack.
53) Improper input validation (CVE-ID: CVE-2026-28956)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to insufficient input validation in AppleJPEG. A local application can trick the victim into opening a specially crafted file and perform unexpected app termination or corrupt process memory.
54) Improper input validation (CVE-ID: CVE-2026-1837)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in AppleJPEG when parsing input. A remote attacker can send a specially crafted input to cause a denial of service.
55) Improper access control (CVE-ID: CVE-2026-28995)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to improper access restrictions in App Intents. A local application can break out of its sandbox.
56) Memory corruption (CVE-ID: CVE-2026-28959)
The vulnerability allows a local application to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in APFS. A local application can cause unexpected system termination.
57) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2026-28988)
The vulnerability allows a local application to bypass implemented security restrictions.
The vulnerability exists due to improperly imposed permissions in Accounts. A local application can bypass certain Privacy preferences.
58) Permissions, privileges, and access controls (CVE-ID: CVE-2026-28978)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to improperly imposed security restrictions in Installer. A local application can break out of its sandbox.
59) Improper input validation (CVE-ID: CVE-2026-28943)
60) Memory corruption (CVE-ID: CVE-2026-28940)
The vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due to a boundary error in Model I/O. A remote attacker can trick the victim into opening a specially crafted file and escalate privileges on the system.
61) Improper input validation (CVE-ID: CVE-2026-28987)
62) Improper access control (CVE-ID: CVE-2026-28941)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper access restrictions in Model I/O. A remote attacker can trick the victim into opening a specially crafted file and perform a denial-of-service or potentially disclose memory contents.
63) Out-of-bounds write (CVE-ID: CVE-2026-43666)
The vulnerability allows a remote attacker on the local network to perform a denial of service (DoS) attack.
The vulnerability exists due to an out-of-bounds write in mDNSResponder. A remote attacker on the local network can cause a denial-of-service.
64) Use after free (CVE-ID: CVE-2026-43668)
The vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due to a use-after-free error in mDNSResponder. A remote attacker can trick the victim into opening a specially crafted file and cause unexpected system termination or corrupt kernel memory.
65) Improper input validation (CVE-ID: CVE-2026-28985)
The vulnerability allows a remote attacker on the local network to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient input validation in mDNSResponder. A remote attacker on the local network can cause a denial-of-service.
66) Memory corruption (CVE-ID: CVE-2026-43653)
The vulnerability allows a remote attacker on the local network to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in mDNSResponder. A remote attacker on the local network can cause a denial-of-service.
67) Improper input validation (CVE-ID: CVE-2026-28929)
68) Improper access control (CVE-ID: CVE-2026-28983)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper access restrictions in LaunchServices. A remote attacker can trick the victim into opening a specially crafted file and cause a denial of service.
69) Improper access control (CVE-ID: CVE-2026-28986)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper access control in kernel when handling a local application. A local user can run a local application to cause a denial of service.
70) Use after free (CVE-ID: CVE-2026-28969)
The vulnerability allows a local application to perform a denial of service (DoS) attack.
The vulnerability exists due to a use-after-free error in IOKit. A local application can cause unexpected system termination.
71) Out-of-bounds write (CVE-ID: CVE-2026-28972)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to an out-of-bounds write in Kernel. A local application can cause unexpected system termination or write kernel memory.
72) State issues (CVE-ID: CVE-2026-28951)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to a state management issue in Kernel. A local application can gain root privileges.
73) Improper input validation (CVE-ID: CVE-2026-28952)
The vulnerability allows a local application to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient input validation in Kernel. A local application can cause unexpected system termination.
74) Improper input validation (CVE-ID: CVE-2026-28897)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient input validation in Kernel. A local user can cause unexpected system termination or read kernel memory.
75) Improper access control (CVE-ID: CVE-2026-28954)
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to improper access control in kernel when handling local access to kernel resources. A local user can access sensitive kernel-managed information to disclose sensitive information.
76) Improper input validation (CVE-ID: CVE-2026-28908)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to insufficient input validation in Kernel. A local application can modify protected parts of the file system.
77) Memory corruption (CVE-ID: CVE-2026-43654)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to a boundary error in Kernel. A local application can disclose kernel memory.
78) Memory corruption (CVE-ID: CVE-2026-43655)
The vulnerability allows a local application to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in IOSurfaceAccelerator. A local application can cause unexpected system termination or read kernel memory.
79) Out-of-bounds read (CVE-ID: CVE-2026-28920)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition in zlib. A remote attacker can trick the victim into visiting a specially crafted website, trigger an out-of-bounds read error and read contents of memory on the system.
Remediation
Install update from vendor's website.