Description
A package validation issue was addressed by blocking the vulnerable package. This issue is fixed in macOS Tahoe 26.3. An app may be able to gain root privileges.
Published: 2026-02-11
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation to Root
Action: Immediate Patch
AI Analysis

Impact

A package validation issue in macOS Tahoe allows a malicious application to obtain root privileges. The flaw was mitigated by blocking the vulnerable package, but until the fix is applied, an app may be able to elevate its privileges to system level.

Affected Systems

Apple macOS Tahoe versions prior to 26.3 are affected. The issue was resolved in macOS Tahoe 26.3, so newer releases are not impacted.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.8, indicating high severity. The EPSS score is below 1%, suggesting a low probability of exploitation at present. It is not listed in the CISA KEV catalog. Based on the description, the attack vector is likely local, requiring the presence of a malicious app capable of triggering the package validation flaw to achieve privilege escalation.

Generated by OpenCVE AI on April 16, 2026 at 00:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade macOS to version 26.3 or later to receive the fix
  • Apply any available Apple security updates that address this package validation flaw
  • Verify that the vulnerable package is blocked or quarantined in the system’s security settings
  • If a patch cannot be applied immediately, monitor system activity for signs of privilege escalation attempts and investigate any unauthenticated apps

Generated by OpenCVE AI on April 16, 2026 at 00:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://support.apple.com/en-us/126348 cve-icon cve-icon
History

Thu, 16 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Title macOS Package Validation Privilege Escalation
Weaknesses CWE-269

Wed, 25 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 13 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 12 Feb 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Vendors & Products Apple
Apple macos

Wed, 11 Feb 2026 23:15:00 +0000

Type Values Removed Values Added
Description A package validation issue was addressed by blocking the vulnerable package. This issue is fixed in macOS Tahoe 26.3. An app may be able to gain root privileges.
References

Subscriptions

Apple Macos
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:21:30.304Z

Reserved: 2025-11-11T14:43:07.865Z

Link: CVE-2026-20658

cve-icon Vulnrichment

Updated: 2026-02-25T17:48:04.721Z

cve-icon NVD

Status : Modified

Published: 2026-02-11T23:16:08.530

Modified: 2026-02-25T19:43:20.767

Link: CVE-2026-20658

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T01:00:19Z

Weaknesses