Description
A logging issue was addressed with improved data redaction. This issue is fixed in macOS Tahoe 26.3. A malicious app may be able to read sensitive location information.
Published: 2026-02-11
Score: 3.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Data Exposure
Action: Patch OS
AI Analysis

Impact

A logging flaw in earlier releases of Apple macOS failed to redact sensitive location information, enabling a malicious application to access and read that data. The issue was corrected in macOS Tahoe 26.3, highlighting that any pre‑26.3 system that accepts or records location data in log files is susceptible. Because the flaw concerns the improper handling of logged data, it falls under the CWE-532 classification of Information Exposure Through Log Files.

Affected Systems

Apple macOS operating systems prior to version 26.3 are affected. The vulnerability applies to all macOS installations that allow third‑party or internal applications to generate logs containing location information. The patch and fix are contained in macOS Tahoe 26.3 and later releases.

Risk and Exploitability

The CVSS score of 3.3 indicates a low‑to‑moderate severity, while an EPSS score below 1% suggests a very low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, further indicating limited present‑day exploitation. The likely attack vector is local: a malicious or compromised application running on the Mac can read the logs that contain unredacted location data. No remote exploitation or privilege escalation is implied by the available description.

Generated by OpenCVE AI on April 15, 2026 at 21:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update all macOS installations to macOS Tahoe 26.3 or later to apply the official patch disallowing unredacted location logs
  • Verify that third‑party applications do not log location data without proper redaction or obfuscation
  • Use system preferences or administrative scripts to disable optional logging of location information while the patch status is being verified

Generated by OpenCVE AI on April 15, 2026 at 21:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://support.apple.com/en-us/126348 cve-icon cve-icon
History

Sun, 15 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Feb 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-532

Fri, 13 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Thu, 12 Feb 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Vendors & Products Apple
Apple macos

Wed, 11 Feb 2026 23:15:00 +0000

Type Values Removed Values Added
Description A logging issue was addressed with improved data redaction. This issue is fixed in macOS Tahoe 26.3. A malicious app may be able to read sensitive location information.
References

Subscriptions

Apple Macos
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:11:58.313Z

Reserved: 2025-11-11T14:43:07.863Z

Link: CVE-2026-20646

cve-icon Vulnrichment

Updated: 2026-02-13T19:42:42.251Z

cve-icon NVD

Status : Modified

Published: 2026-02-11T23:16:07.530

Modified: 2026-02-13T20:17:40.477

Link: CVE-2026-20646

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T21:15:13Z

Weaknesses