SB2026051209 - Multiple vulnerabilities in macOS Sequoia
Published: May 12, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 45 vulnerabilities.
1) Improper input validation (CVE-ID: CVE-2026-28987)
2) Memory corruption (CVE-ID: CVE-2026-39870)
The vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due to a boundary error in SceneKit. A remote attacker can trick the victim into opening a specially crafted file and escalate privileges on the system.
3) Memory corruption (CVE-ID: CVE-2026-28959)
The vulnerability allows a local application to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in APFS. A local application can cause unexpected system termination.
4) Improper input validation (CVE-ID: CVE-2026-28929)
5) Use after free (CVE-ID: CVE-2026-43668)
The vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due to a use-after-free error in mDNSResponder. A remote attacker can trick the victim into opening a specially crafted file and cause unexpected system termination or corrupt kernel memory.
6) Out-of-bounds write (CVE-ID: CVE-2026-43666)
The vulnerability allows a remote attacker on the local network to perform a denial of service (DoS) attack.
The vulnerability exists due to an out-of-bounds write in mDNSResponder. A remote attacker on the local network can cause a denial-of-service.
7) Memory corruption (CVE-ID: CVE-2026-28940)
The vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due to a boundary error in Model I/O. A remote attacker can trick the victim into opening a specially crafted file and escalate privileges on the system.
8) Improper access control (CVE-ID: CVE-2026-28941)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper access restrictions in Model I/O. A remote attacker can trick the victim into opening a specially crafted file and perform a denial-of-service or potentially disclose memory contents.
9) State Issues (CVE-ID: CVE-2026-28906)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to a state issue in Networking. A remote attacker can track users through their IP address.
10) Out-of-bounds write (CVE-ID: CVE-2026-43656)
The vulnerability allows a local application to perform a denial of service (DoS) attack.
The vulnerability exists due to an out-of-bounds write in Quick Look. A local application can trick the victim into opening a specially crafted file and perform an unexpected app termination.
11) Memory corruption (CVE-ID: CVE-2026-28846)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in SceneKit. A remote attacker can trick the victim into opening a specially crafted file and cause unexpected app termination.
12) Out-of-bounds write (CVE-ID: CVE-2026-28972)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to an out-of-bounds write in Kernel. A local application can cause unexpected system termination or write kernel memory.
13) Improper access control (CVE-ID: CVE-2026-28993)
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to improper access control in shortcuts when handling local application access. A local user can access the vulnerable component to disclose sensitive information.
14) Memory corruption (CVE-ID: CVE-2026-28848)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in SMB. A remote attacker can trick the victim into opening a specially crafted file and cause unexpected system termination.
15) Improper access control (CVE-ID: CVE-2026-28974)
The vulnerability allows a local application to perform a denial of service (DoS) attack.
The vulnerability exists due to improper access restrictions in Spotlight. A local application can cause a denial-of-service.
16) Improper access control (CVE-ID: CVE-2026-28996)
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to improper access control in Storage when handling local application access. A local user can access sensitive information to disclose sensitive information.
17) State issues (CVE-ID: CVE-2026-28919)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to a state management issue in StorageKit. A local application can gain root privileges.
18) Improper input validation (CVE-ID: CVE-2026-28924)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to insufficient input validation in Sync Services. A local application can access Contacts without user consent.
19) Path traversal (CVE-ID: CVE-2026-39871)
The vulnerability allows a local user to access files and directories outside the intended path restrictions.
The vulnerability exists due to path traversal in TV App when handling input from a local application. A local user can supply crafted input to access files and directories outside the intended path restrictions.
20) Out-of-bounds write (CVE-ID: CVE-2026-28819)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to an out-of-bounds write in Wi-Fi. A local application can execute arbitrary code with kernel privileges.
21) Improper access control (CVE-ID: CVE-2026-28986)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper access control in kernel when handling a local application. A local user can run a local application to cause a denial of service.
22) State issues (CVE-ID: CVE-2026-28951)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to a state management issue in Kernel. A local application can gain root privileges.
23) Out-of-bounds read (CVE-ID: CVE-2026-28920)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition in zlib. A remote attacker can trick the victim into visiting a specially crafted website, trigger an out-of-bounds read error and read contents of memory on the system.
24) Memory corruption (CVE-ID: CVE-2026-28977)
The vulnerability allows a local application to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in ImageIO. A local application can trick the victim into opening a specially crafted file and perform unexpected app termination.
25) Improper input validation (CVE-ID: CVE-2026-28956)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to insufficient input validation in AppleJPEG. A local application can trick the victim into opening a specially crafted file and perform unexpected app termination or corrupt process memory.
26) Memory corruption (CVE-ID: CVE-2026-39869)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in Audio. A remote attacker can trick the victim into opening a specially crafted file and perform a denial of service (DoS) attack.
27) State issues (CVE-ID: CVE-2026-28922)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to a state management issue in CoreMedia. A local application can access private information.
28) Improper input validation (CVE-ID: CVE-2026-28878)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in Crash Reporter when handling crash reports. A local user can provide specially crafted input to cause a denial of service.
Exploitation does not require elevated privileges.
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to incorrect handling of path names in CUPS. A local application can trick the victim into opening a specially crafted file and gain root privileges.
30) Improper access control (CVE-ID: CVE-2026-43659)
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to improper access control in FileProvider when handling file provider operations. A local user can access sensitive information to disclose sensitive information.
31) Information exposure through log files (CVE-ID: CVE-2026-28923)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to inclusion of sensitive information into a log file in GPU Drivers. A local application can break out of its sandbox.
32) Memory corruption (CVE-ID: CVE-2026-28925)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to a boundary error in HFS. A local application can cause unexpected system termination or write kernel memory.
33) Memory corruption (CVE-ID: CVE-2026-28990)
The vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due to a boundary error in ImageIO. A remote attacker can trick the victim into opening a specially crafted file and escalate privileges on the system.
34) Improper input validation (CVE-ID: CVE-2026-28908)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to insufficient input validation in Kernel. A local application can modify protected parts of the file system.
35) Permissions, privileges, and access controls (CVE-ID: CVE-2026-28978)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to improperly imposed security restrictions in Installer. A local application can break out of its sandbox.
36) Improper input validation (CVE-ID: CVE-2026-28992)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in IOHIDFamily when processing user-supplied input. A local user can send specially crafted input to cause a denial of service.
37) Improper input validation (CVE-ID: CVE-2026-28943)
38) Use after free (CVE-ID: CVE-2026-28969)
The vulnerability allows a local application to perform a denial of service (DoS) attack.
The vulnerability exists due to a use-after-free error in IOKit. A local application can cause unexpected system termination.
39) Memory corruption (CVE-ID: CVE-2026-43654)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to a boundary error in Kernel. A local application can disclose kernel memory.
40) Improper access control (CVE-ID: CVE-2026-28954)
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to improper access control in kernel when handling local access to kernel resources. A local user can access sensitive kernel-managed information to disclose sensitive information.
41) Improper input validation (CVE-ID: CVE-2026-28897)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient input validation in Kernel. A local user can cause unexpected system termination or read kernel memory.
42) Improper input validation (CVE-ID: CVE-2026-28952)
The vulnerability allows a local application to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient input validation in Kernel. A local application can cause unexpected system termination.
43) Use-after-free (CVE-ID: CVE-2026-28994)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to use-after-free in Wi-Fi when handling wireless network traffic. A remote attacker can send specially crafted wireless traffic to cause a denial of service.
44) Privilege / Sandbox Issues (CVE-ID: CVE-2025-43524)
The vulnerability allows a local application to escape sandbox restrictions.
The vulnerability exists due to improperly imposed restrictions in Icons. A local application can break out of its sandbox.
45) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2026-28840)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to improperly imposed security restrictions in PackageKit. A local application can execute arbitrary code with root privileges.
Remediation
Install update from vendor's website.