Description
A race condition was addressed with additional validation. This issue is fixed in macOS Sequoia 15.1. An app may be able to break out of its sandbox.
Published: 2026-04-02
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Sandbox Escape
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a race condition in macOS Sequoia's sandbox implementation. An application running on the affected system may be able to break out of its sandbox, potentially allowing it to access system resources or files outside its permitted boundaries. This flaw is identified as CWE-362.

Affected Systems

The flaw affects Apple macOS, specifically versions before macOS Sequoia 15.1. Any installation of macOS Sequoia 15.0 or earlier is potentially vulnerable. The issue is addressed and resolved in macOS Sequoia 15.1, so systems running that or later releases are not impacted.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog, but the lack of publicly available exploits does not mitigate the risk. Based on the description, the likely attack vector is local exploitation by an application that can trigger the race condition. Once exploited, an attacker can escape the sandbox and potentially compromise the integrity or confidentiality of the host system, jeopardizing other user data.

Generated by OpenCVE AI on April 2, 2026 at 21:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update macOS to version 15.1 or later to apply the race condition fix.

Generated by OpenCVE AI on April 2, 2026 at 21:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://support.apple.com/en-us/121564 cve-icon cve-icon
History

Fri, 03 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Vendors & Products Apple
Apple macos

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description A race condition was addressed with additional validation. This issue is fixed in macOS Sequoia 15.1. An app may be able to break out of its sandbox.
Weaknesses CWE-362
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Apple Macos
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T19:49:19.309Z

Reserved: 2024-07-10T17:11:04.709Z

Link: CVE-2024-40849

cve-icon Vulnrichment

Updated: 2026-04-02T19:47:21.293Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-02T19:17:57.313

Modified: 2026-04-03T19:39:14.597

Link: CVE-2024-40849

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:16:49Z

Weaknesses