Description
A parsing issue in the handling of directory paths was addressed with improved path validation. This issue is fixed in macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5. An app may be able to gain root privileges.
Published: 2026-05-11
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A parsing flaw in macOS's handling of directory paths can allow a malicious application to bypass normal path checks, potentially enabling the app to write or execute files with elevated privileges. The result is a root privilege escalation risk, giving the attacker complete control over the affected system. This weakness is a classic example of improper path validation, classified as CWE-22.

Affected Systems

Apple macOS is affected. Versions earlier than macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, and macOS Tahoe 26.5 are potentially vulnerable. These update releases include the necessary path‑validation fix.

Risk and Exploitability

The CVSS score is 7.8 and the EPSS score is less than 1%, indicating a very low likelihood of exploitation. The vulnerability is not listed in CISA's KEV catalog. Based on the description the attack is likely local, requiring the attacker to run a malicious or compromised application. If exploited, the attacker could gain root privileges and thus full system control.

Generated by OpenCVE AI on May 13, 2026 at 20:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade macOS to the latest available version that contains the Sequoia 15.7.7, Sonoma 14.8.7, or Tahoe 26.5 patch.
  • Prevent the installation or execution of untrusted applications as a temporary protective measure.
  • Actively monitor system logs and security events for signs of unauthorized privilege escalation or anomalous activity.

Generated by OpenCVE AI on May 13, 2026 at 20:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 14:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*

Wed, 13 May 2026 21:15:00 +0000

Type Values Removed Values Added
Title Directory Path Parsing Issue Leading to Root Privilege Escalation

Wed, 13 May 2026 18:45:00 +0000

Type Values Removed Values Added
Title Privilege Escalation via Improper Directory Path Validation in macOS
Weaknesses CWE-284
CWE-613

Wed, 13 May 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-22
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 11 May 2026 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Vendors & Products Apple
Apple macos

Mon, 11 May 2026 22:30:00 +0000

Type Values Removed Values Added
Title Privilege Escalation via Improper Directory Path Validation in macOS
Weaknesses CWE-284
CWE-613

Mon, 11 May 2026 20:45:00 +0000

Type Values Removed Values Added
Description A parsing issue in the handling of directory paths was addressed with improved path validation. This issue is fixed in macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5. An app may be able to gain root privileges.
References

Subscriptions

Apple Macos
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-05-13T14:39:49.022Z

Reserved: 2026-03-03T16:36:03.985Z

Link: CVE-2026-28915

cve-icon Vulnrichment

Updated: 2026-05-13T13:51:06.627Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-11T21:18:54.000

Modified: 2026-05-14T14:02:11.390

Link: CVE-2026-28915

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T21:00:05Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')