A race condition in the handling of symbolic links can allow an application to read a user’s Contacts database without the user’s consent. The flaw stems from a timing window where the operating system incorrectly resolves symbolic links during file system operations, enabling the application to bypass the standard permission checks that protect private data. The impact is a confidentiality breach of personal contact information, not code execution or denial of service, and therefore it threatens user privacy rather than system integrity or availability. Based on the description, it is inferred that the exploitation requires a locally running application to trigger the race condition.

Apple macOS versions that are not yet updated to the corrected releases are affected. The fix is included in macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, and macOS Tahoe 26.5. All earlier releases of these operating systems carry the vulnerability until the user upgrades to one of the patched versions.

Based on the description, it is inferred that the exploitability requires a local application to trigger the race condition; remote exploitation is not indicated. The CVSS score of 7.5 indicates moderate to high severity, and the EPSS score of < 1% suggests a low likelihood of exploitation, while the vulnerability is not listed in CISA KEV. However, any application that creates or manipulates symbolic links with elevated privileges could potentially exploit the race condition, making the risk moderate until the software is updated. The absence of a public exploit does not eliminate the threat, particularly for targeted attacks that can install a malicious application.