CVE-2026-28914 Overview
CVE-2026-28914 is a logic flaw in Apple macOS that allows a maliciously crafted ZIP archive to bypass Gatekeeper checks. Gatekeeper enforces code-signing and notarization policies on downloaded content. By exploiting improper file handling during archive processing, an attacker can deliver unsigned or unnotarized payloads that execute without the expected security prompts. Apple fixed the issue in macOS Tahoe 26.5. The vulnerability is tracked under [CWE-358: Improperly Implemented Security Check for Standard].
Critical Impact
A crafted ZIP archive can bypass Gatekeeper, enabling execution of untrusted content on macOS endpoints and undermining the operating system's primary defense against malicious downloads.
Affected Products
- Apple macOS versions prior to macOS Tahoe 26.5
- Systems relying on Gatekeeper for code-signing and notarization enforcement
- Endpoints that process ZIP archives from untrusted sources (email, browsers, messaging)
Discovery Timeline
- 2026-05-11 - CVE-2026-28914 published to NVD
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2026-28914
Vulnerability Analysis
The flaw resides in how macOS handles file extraction from ZIP archives. Gatekeeper relies on the com.apple.quarantine extended attribute to identify content downloaded from untrusted sources. When a user opens quarantined content, Gatekeeper validates code signatures and notarization tickets before permitting execution. The logic issue in CVE-2026-28914 allows specially constructed ZIP archives to evade these checks during extraction or launch, so payloads that would otherwise be blocked run without verification.
Exploitation requires user interaction. A victim must download the crafted archive and open the extracted content. Successful exploitation does not directly impact confidentiality or availability, but it enables high-impact integrity violations because untrusted code executes with the user's privileges.
Root Cause
The defect is an improperly implemented security check during archive handling. Apple addressed it with improved file handling in macOS Tahoe 26.5. The underlying weakness, [CWE-358], indicates that the standard Gatekeeper enforcement path failed to apply correctly to certain ZIP archive structures, leaving the integrity boundary intact in code but bypassable in practice.
Attack Vector
An attacker crafts a ZIP archive whose internal structure causes macOS to omit or mishandle quarantine propagation or signature verification on the extracted contents. The archive is delivered through phishing, drive-by download, or supply-chain distribution. When the user extracts and launches the embedded payload, Gatekeeper does not block or warn, and the code executes as if it were trusted. Refer to the Apple Support Article for vendor details.
Detection Methods for CVE-2026-28914
Indicators of Compromise
- Execution of unsigned or non-notarized binaries originating from extracted ZIP archives
- Files lacking the com.apple.quarantine extended attribute despite originating from a downloaded archive
- ZIP archives with anomalous central directory structures, symlinks, or unusual entry naming conventions
Detection Strategies
- Monitor process creation events where the parent is an archive utility such as Archive Utility.app or unzip and the child is an unsigned Mach-O binary
- Audit extended attributes on newly created files using xattr -l to verify quarantine propagation from parent archives
- Inspect ZIP archives delivered via email or web gateways for nested executables, AppleDouble metadata, or symlinks that point outside the extraction root
Monitoring Recommendations
- Centralize macOS endpoint telemetry covering file creation, extended attribute changes, and code-signing verification failures
- Alert on Gatekeeper assessment events emitted by syspolicyd that indicate skipped or short-circuited evaluations
- Track first-seen binary executions per host and correlate with recent archive extraction activity
How to Mitigate CVE-2026-28914
Immediate Actions Required
- Upgrade affected systems to macOS Tahoe 26.5 or later without delay
- Restrict execution of binaries extracted from archives received via email or messaging until patching is verified
- Educate users to validate the source of ZIP archives before extraction and execution
Patch Information
Apple resolved CVE-2026-28914 in macOS Tahoe 26.5 by improving file handling during archive processing. Administrators should deploy the update through Mobile Device Management (MDM) or Software Update. Verify installation by confirming the system version in About This Mac or via sw_vers -productVersion. The vendor advisory is available in the Apple Support Article.
Workarounds
- Block inbound ZIP archives at email and web gateways where business processes permit
- Enforce a managed allowlist of signed and notarized applications using MDM configuration profiles
- Require users to extract archives only within monitored directories and review extended attributes before launching contents
# Verify macOS version and Gatekeeper status
sw_vers -productVersion
spctl --status
# Inspect quarantine attribute on a suspicious file
xattr -l /path/to/extracted/file
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
