Description
A race condition was addressed with additional validation. This issue is fixed in macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4. An app may be able to break out of its sandbox.
Published: 2026-03-25
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Sandbox escape via race condition
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a race condition in macOS that can allow a sandboxed application to escape its sandbox and access protected resources. It results from a timing-related flaw that was corrected by adding additional validation logic in the operating system.

Affected Systems

Apple macOS versions before 15.7.5 (Sequoia), 14.8.5 (Sonoma), and 26.4 (Tahoe) are affected. Devices running earlier releases of these macOS lines can run a sandboxed application that may exploit the race condition.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity. An EPSS score of less than 1 % suggests a low likelihood of widespread exploitation, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack path requires inducing a race condition within a sandboxed application, which may involve manipulating the timing of operations; this is inferred from the nature of a race condition but is not directly confirmed by the provided data. Because of the need for precise timing, exploitation is considered to have moderate difficulty.

Generated by OpenCVE AI on March 25, 2026 at 20:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install macOS updates to version 15.7.5, 14.8.5, or 26.4 or later, which fix the race condition.
  • Verify the update installation by checking the system’s Software Update pane or running softwareupdate --history.
  • If the update cannot be applied immediately, limit the use of affected sandboxed applications until the patch is installed to reduce the chance of exploitation.

Generated by OpenCVE AI on March 25, 2026 at 20:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Title Race Condition Enables Sandbox Escape in macOS

Wed, 25 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*

Wed, 25 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Vendors & Products Apple
Apple macos

Wed, 25 Mar 2026 01:00:00 +0000

Type Values Removed Values Added
Description A race condition was addressed with additional validation. This issue is fixed in macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4. An app may be able to break out of its sandbox.
References

Subscriptions

Apple Macos
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:25:48.746Z

Reserved: 2026-03-03T16:36:03.981Z

Link: CVE-2026-28891

cve-icon Vulnrichment

Updated: 2026-03-25T14:35:13.978Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T01:17:12.580

Modified: 2026-03-25T17:59:49.667

Link: CVE-2026-28891

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T21:16:14Z

Weaknesses