The vulnerability is a logic flaw that undermines existing checks for user‑sensitive data access. Because the flaw is not an injection or buffer overflow, it does not provide direct code execution. Instead, it allows a locally installed application to read or obtain data that should be protected, creating a privilege‑bypass of the operating system’s sandboxing controls. This type of weakness is classified as CWE‑284, reflecting a straight‑forward access‑control bypass that can compromise confidentiality of private files and system settings.

The flaw affects Apple macOS operating systems released before the patches described in Apple support articles 125634–125636. The fixes are included in macOS Sequoia 15.7.2, macOS Sonoma 14.8.2, and macOS Tahoe 26.1. All earlier releases in those product lines are considered vulnerable until an update is applied.

The CVSS score of 5.5 indicates a moderate severity, but the derived EPSS score of less than 1% suggests that the likelihood of an exploit being used in the wild is currently very low. The vulnerability is not listed in the CISA KEV catalog. Attack vectors are inferred to be local, where a user‑installed application can exercise the logic flaw to read protected data. No high‑impact prerequisite conditions are mentioned, so exploiting the bug requires only the presence of a malicious or misbehaving application on the user’s machine.