Description
A parsing issue in the handling of directory paths was addressed with improved path validation. This issue is fixed in macOS Tahoe 26.1. An app may be able to access sensitive user data.
Published: 2025-12-12
Score: 3.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Potential access to sensitive user data
Action: Update macOS
AI Analysis

Impact

A parsing issue in the handling of directory paths was identified in macOS. The flaw allows an application to potentially access sensitive user data by providing crafted directory paths. The weakness is a path traversal vulnerability (CWE‑22). The impact is the compromise of data confidentiality for users running affected software, but it does not affect system integrity or availability.

Affected Systems

Apple's macOS operating system, specifically versions prior to macOS Tahoe 26.1, are affected. The issue is fixed in macOS Tahoe 26.1 and later. Any application running on these systems that fails to validate path inputs correctly could exploit the flaw.

Risk and Exploitability

The CVSS score of 3.3 indicates low severity, and the EPSS score of less than 1 % suggests a very low likelihood of exploitation. The flaw is not listed in CISA's KEV catalog, further implying that active exploitation is unlikely and likely limited to apps that intentionally provide malformed paths. The attack vector is inferred to be local or within an application context; an attacker would need to influence the application's path handling, which is mostly mitigated by macOS sandboxing and application signing.

Generated by OpenCVE AI on April 22, 2026 at 20:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade macOS to version 26.1 or later to apply the path validation fix.
  • Reinstall any third‑party applications that may attempt to access sensitive directories, ensuring they are signed and verified by Apple.
  • Restrict applications’ access to sensitive data by enforcing appropriate file‑system permissions or using macOS sandboxing controls.

Generated by OpenCVE AI on April 22, 2026 at 20:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://support.apple.com/en-us/125634 cve-icon cve-icon
History

Wed, 22 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Title macOS Directory Path Parsing Flaw Enables Potential Sensitive Data Access

Wed, 17 Dec 2025 16:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*

Mon, 15 Dec 2025 21:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-22
Metrics cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 14 Dec 2025 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Apple macos Tahoe
Vendors & Products Apple
Apple macos
Apple macos Tahoe

Fri, 12 Dec 2025 21:15:00 +0000

Type Values Removed Values Added
Description A parsing issue in the handling of directory paths was addressed with improved path validation. This issue is fixed in macOS Tahoe 26.1. An app may be able to access sensitive user data.
References

Subscriptions

Apple Macos Macos Tahoe
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:11:49.622Z

Reserved: 2025-04-16T15:24:37.126Z

Link: CVE-2025-43465

cve-icon Vulnrichment

Updated: 2025-12-15T20:28:30.541Z

cve-icon NVD

Status : Analyzed

Published: 2025-12-12T21:15:54.707

Modified: 2025-12-17T15:55:37.980

Link: CVE-2025-43465

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T21:00:06Z

Weaknesses