Description
A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Tahoe 26. An app may be able to read sensitive location information.
Published: 2025-09-15
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Data confidentiality compromise (location data)
Action: Update OS
AI Analysis

Impact

A permissions flaw permits an application to read sensitive location data that it should not be allowed to access. The weakness, classified as CWE‑284 Access Control, could lead to unauthorized disclosure of geolocation information, compromising user privacy and confidentiality without affecting system integrity or availability.

Affected Systems

Apple macOS is impacted. The vulnerability is present in versions prior to macOS Tahoe 26, which supplies the fix. Users of older macOS releases face the risk of applications gaining unintended location access.

Risk and Exploitability

The CVSS score of 5.5 reflects moderate severity, while the EPSS score of less than 1% indicates low current exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. Exploitation would likely require an application that is installed on the local machine and granted location permissions; a malicious developer could install a seemingly benign app to harvest a user’s location data. Because the issue is a permissions oversight rather than an arbitrary code execution flaw, the attack surface is limited to the local environment and user acceptance of app permissions.

Generated by OpenCVE AI on April 28, 2026 at 00:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the macOS update containing the fix, such as macOS Tahoe 26 or later
  • Review and restrict application permissions, ensuring only trusted apps have location access
  • If necessary, disable location services for apps that do not require it or mitigate by configuring stricter system-wide privacy settings

Generated by OpenCVE AI on April 28, 2026 at 00:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-29319 A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Tahoe 26. An app may be able to read sensitive location information.
History

Tue, 28 Apr 2026 00:30:00 +0000

Type Values Removed Values Added
Title Permissions Vulnerability Permits Unauthorized Reading of Sensitive Location Data

Mon, 03 Nov 2025 19:30:00 +0000

Type Values Removed Values Added
References

Wed, 17 Sep 2025 13:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*

Wed, 17 Sep 2025 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Vendors & Products Apple
Apple macos

Tue, 16 Sep 2025 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 15 Sep 2025 22:45:00 +0000

Type Values Removed Values Added
Description A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Tahoe 26. An app may be able to read sensitive location information.
References

Subscriptions

Apple Macos
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:15:42.137Z

Reserved: 2025-04-16T15:24:37.088Z

Link: CVE-2025-43208

cve-icon Vulnrichment

Updated: 2025-11-03T18:09:41.378Z

cve-icon NVD

Status : Modified

Published: 2025-09-15T23:15:30.807

Modified: 2025-11-03T19:15:53.760

Link: CVE-2025-43208

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T00:15:05Z

Weaknesses