Description
A race condition was addressed with additional validation. This issue is fixed in macOS Tahoe 26.4. An app may be able to access sensitive user data.
Published: 2026-05-11
Score: 4.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Based on the description, it is inferred that a race condition in macOS Tahoe allows a malicious or compromised application to read sensitive user information that should otherwise be protected. The issue is resolved by adding validation checks that prevent the timing flaw from granting unauthorized data access. It is inferred that the vulnerability could lead to a confidentiality breach if an attacker can execute an arbitrary app with sufficient local privileges.

Affected Systems

The vulnerability affects Apple macOS Tahoe versions released before 26.4. The fix is available in macOS Tahoe 26.4, and any earlier releases remain susceptible to the race condition if not patched.

Risk and Exploitability

The EPSS score is reported as less than 1%, indicating a very low but nonzero probability of exploitation. The vulnerability is not listed in the CISA KEV catalog, implying no publicly exploited incidents are known. The CVSS score of 4.7 indicates medium severity. It is inferred that a race condition that allows data disclosure poses a significant risk if an attacker can execute a malicious application locally. It is inferred that the low EPSS combined with the medium CVSS suggests the vulnerability is unlikely to be widely exploited, but the potential for confidentiality compromise warrants timely remediation.

Generated by OpenCVE AI on May 13, 2026 at 00:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade macOS to version 26.4 or later to apply the race‑condition fix
  • Ensure all third‑party applications are updated to their latest versions and verify they do not exploit the vulnerability
  • Restrict application permissions or use sandboxing techniques to limit local app access to sensitive data until the OS update is applied

Generated by OpenCVE AI on May 13, 2026 at 00:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://support.apple.com/en-us/126794 cve-icon cve-icon
History

Tue, 12 May 2026 23:00:00 +0000

Type Values Removed Values Added
Title Race Condition Allowing Unauthorized Access to Sensitive User Data
Weaknesses CWE-200

Tue, 12 May 2026 20:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*

Tue, 12 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 11 May 2026 22:15:00 +0000

Type Values Removed Values Added
Title Race Condition Allowing Unauthorized Access to Sensitive User Data
Weaknesses CWE-200
CWE-362

Mon, 11 May 2026 22:00:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Vendors & Products Apple
Apple macos

Mon, 11 May 2026 20:45:00 +0000

Type Values Removed Values Added
Description A race condition was addressed with additional validation. This issue is fixed in macOS Tahoe 26.4. An app may be able to access sensitive user data.
References

Subscriptions

Apple Macos
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-05-12T18:30:29.959Z

Reserved: 2026-03-03T16:36:03.968Z

Link: CVE-2026-28830

cve-icon Vulnrichment

Updated: 2026-05-12T18:29:54.592Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-11T21:18:51.207

Modified: 2026-05-12T19:47:43.853

Link: CVE-2026-28830

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T00:30:28Z

Weaknesses