CVE-2026-49269 - Vulnerability Details

- Apple M1 GPU Register Leakage Enables Secret Recovery Across Sandboxed Apps

Description

Apple M1 GPUs retain register file data between compute shader dispatches from different processes. A sandboxed Metal attacker app can run a GPU reader shader that reads stale register values left by a separate sandboxed victim app. In the proof of concept, GPUVictim.app generates a fresh random 128-bit secret using SecRandomCopyBytes and loads it into GPU registers. GPUAttacker.app, a separate sandboxed app, recovers the exact secret from stale GPU register state. NOTE: The vendor stated that this behavior affects only legacy hardware and has already been addressed at the hardware level in current-generation Apple Silicon.

Published: 2026-06-24

Score: 8.6 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

Apple M1 GPUs retain register file data between compute shader dispatches from different processes, so a sandboxed Metal attacker can run a GPU reader shader that reads stale register values left by a separate sandboxed victim app. The attacker can recover the exact secret that the victim loaded into the registers, demonstrating a pure information‑disclosure weakness (CWE‑200). No code execution or privilege escalation is described, but the ability to read secrets across app boundaries constitutes a serious confidentiality breach.

Affected Systems

The flaw exists only on legacy Apple Silicon GPUs such as the original M1; current‑generation Apple Silicon has already corrected this hardware behavior. It impacts any sandboxed app that uses Metal on those older devices, but not devices beyond the original M1 line.

Risk and Exploitability

The EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog, so the exact chance of exploitation is unclear. Nevertheless, the proof‑of‑concept shows that any malicious Metal application on an affected device can recover secrets from other sandboxed apps, indicating a high confidentiality impact. The attack path requires only the presence of a second sandboxed app, making the barrier to exploitation relatively low for users of legacy Apple Silicon that store sensitive data in GPU registers.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to a current‑generation Apple Silicon device or firmware that includes the hardware fix for GPU register leakage.
Avoid storing sensitive secrets directly in GPU registers on legacy Apple Silicon; use secure enclave or other secure storage instead.
Encrypt any secrets before transferring them to the GPU, and decrypt them on the CPU after use, ensuring raw secrets do not reside in GPU registers.

Generated by OpenCVE AI on June 24, 2026 at 16:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://gist.github.com/scndls/9cbe31f2b0b1578eaeb311e601335355

History

Wed, 24 Jun 2026 16:45:00 +0000

Type	Values Removed	Values Added
Title		Apple M1 GPU Register Leakage Enables Secret Recovery Across Sandboxed Apps

Wed, 24 Jun 2026 16:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-200
Metrics		cvssV3_1 `{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 24 Jun 2026 15:30:00 +0000

Type	Values Removed	Values Added
Description		Apple M1 GPUs retain register file data between compute shader dispatches from different processes. A sandboxed Metal attacker app can run a GPU reader shader that reads stale register values left by a separate sandboxed victim app. In the proof of concept, GPUVictim.app generates a fresh random 128-bit secret using SecRandomCopyBytes and loads it into GPU registers. GPUAttacker.app, a separate sandboxed app, recovers the exact secret from stale GPU register state. NOTE: The vendor stated that this behavior affects only legacy hardware and has already been addressed at the hardware level in current-generation Apple Silicon.
References		https://gist.github.com/scndls/9cbe31f2b0b1578eaeb311e601335355

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-06-24T00:00:00.000Z

Updated: 2026-06-24T16:05:51.795Z

Reserved: 2026-05-28T00:00:00.000Z

Link: CVE-2026-49269

Vulnrichment

Updated: 2026-06-24T16:05:35.315Z

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-24T16:30:06Z

Weaknesses

CWE-200
Exposure of Sensitive Information to an Unauthorized Actor

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object