Description
This issue was addressed with improved handling of symlinks. This issue is fixed in macOS Sequoia 15.4. An app may be able to access protected user data.
Published: 2026-06-11
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A macOS application may exploit improper handling of symbolic links to read files outside its prescribed directories, exposing protected user data. The flaw, present before macOS Sequoia 15.4, stems from the operating system not validating symlink targets before allowing them to be followed, thereby letting an app bypass normal access restrictions.

Affected Systems

Apple macOS operating system versions prior to Sequoia 15.4 are affected. The issue is resolved in macOS Sequoia 15.4 and later releases.

Risk and Exploitability

The CVSS score is 5.5 and the EPSS score is less than 1%, indicating a low likelihood of exploitation. It is not listed in the CISA KEV catalog. The vulnerability requires a local application that can create or access symlinks, suggesting that an attacker with user-level privileges could potentially leverage the flaw to read protected files if such functionality is permitted.

Generated by OpenCVE AI on June 13, 2026 at 01:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade macOS to Sequoia 15.4 or later to apply the vendor‑supplied fix.
  • If an upgrade is not immediately feasible, limit the affected application's ability to create or follow symlinks in sensitive directories through sandboxing or fine‑grained file permissions.
  • Monitor system logs for abnormal symlink activity and block any attempts from untrusted processes to mitigate the risk of data exposure.

Generated by OpenCVE AI on June 13, 2026 at 01:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
History

Mon, 15 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*

Sat, 13 Jun 2026 01:45:00 +0000

Type Values Removed Values Added
Title Improper Symbolic Link Handling in macOS Allows Potential Data Exposure

Sat, 13 Jun 2026 00:45:00 +0000

Type Values Removed Values Added
Title Symlink Traversal Exploits Protected User Data
Weaknesses CWE-22
CWE-284

Fri, 12 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-61
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 11 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Title Symlink Traversal Exploits Protected User Data
Weaknesses CWE-22
CWE-284

Thu, 11 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
Title macOS Symlink Handling Exploit Enables Access to Protected User Data
Weaknesses CWE-22
CWE-284

Thu, 11 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Title macOS Symlink Handling Exploit Enables Access to Protected User Data
Weaknesses CWE-22
CWE-284

Thu, 11 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Vendors & Products Apple
Apple macos

Thu, 11 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description This issue was addressed with improved handling of symlinks. This issue is fixed in macOS Sequoia 15.4. An app may be able to access protected user data.
References

cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-06-12T21:22:38.449Z

Reserved: 2025-04-16T15:24:37.101Z

Link: CVE-2025-43278

cve-icon Vulnrichment

Updated: 2026-06-12T21:22:34.915Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-11T19:16:33.393

Modified: 2026-06-15T14:25:43.390

Link: CVE-2025-43278

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-13T01:30:17Z

Weaknesses
  • CWE-61

    UNIX Symbolic Link (Symlink) Following