CVE-2026-28915 Overview
CVE-2026-28915 is a path traversal vulnerability [CWE-22] in Apple macOS that stems from improper parsing of directory paths. A local application can exploit the flaw to gain root privileges on affected systems. Apple addressed the issue with improved path validation in macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, and macOS Tahoe 26.5.
The vulnerability requires local access and user interaction, but successful exploitation grants full administrative control over the host. Apple has not reported in-the-wild exploitation, and the CVE is not listed in the CISA Known Exploited Vulnerabilities catalog.
Critical Impact
A malicious application can leverage flawed directory path handling to escalate from a standard user context to root, exposing system files, credentials, and kernel-level operations.
Affected Products
- Apple macOS Sequoia versions prior to 15.7.7
- Apple macOS Sonoma versions prior to 14.8.7
- Apple macOS Tahoe versions prior to 26.5
Discovery Timeline
- 2026-05-11 - CVE-2026-28915 published to NVD
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2026-28915
Vulnerability Analysis
The flaw resides in macOS path-parsing logic that handles directory references during privileged operations. Insufficient validation allows a crafted path to bypass intended directory boundaries. An application running with standard user privileges can manipulate path resolution to influence files or operations executed in a privileged context.
The issue is classified under [CWE-22] Improper Limitation of a Pathname to a Restricted Directory. Exploitation requires local code execution and user interaction, indicating an attacker must first deliver and run a malicious application on the target system. Once executed, the application leverages the parsing flaw to acquire root privileges.
Apple's advisory states the issue was resolved through improved path validation, indicating stricter normalization and boundary checks were introduced in the patched releases.
Root Cause
The root cause is a parsing defect in how macOS components interpret directory path components. Path strings containing traversal sequences or malformed separators are not consistently canonicalized before privileged file operations occur. This permits a low-privilege caller to direct privileged code toward attacker-controlled targets.
Attack Vector
The attack vector is local. An attacker delivers a malicious application through standard distribution channels such as downloads, email attachments, or supply chain compromise. When the user executes the application, it issues crafted file or directory requests that exploit the path-parsing weakness to gain root. No network access is required, and no remote pre-authentication path is available.
Apple has not published exploitation specifics. Refer to the Apple Support Document #127115, Apple Support Document #127116, and Apple Support Document #127117 for vendor guidance.
Detection Methods for CVE-2026-28915
Indicators of Compromise
- Unexpected processes spawned with root or wheel group ownership originating from user-space application bundles.
- Creation or modification of files in protected system directories such as /System, /Library/LaunchDaemons, or /private/var/root shortly after launching an untrusted application.
- Unsigned or ad-hoc signed binaries invoking privileged system services or setuid operations.
Detection Strategies
- Monitor Endpoint Security framework events for ES_EVENT_TYPE_NOTIFY_EXEC and ES_EVENT_TYPE_NOTIFY_RENAME calls referencing paths with traversal sequences such as ../ or symlinked directories.
- Audit process lineage where a non-privileged parent spawns a child with elevated effective UID 0.
- Compare installed macOS build numbers against patched versions to identify exposed endpoints.
Monitoring Recommendations
- Enable Unified Logging with predicates for privilege transitions and review entries through log show for anomalies.
- Track installation events for newly delivered applications and correlate with subsequent privileged file system modifications.
- Forward macOS endpoint telemetry to a centralized analytics platform for retrospective hunting against the indicators above.
How to Mitigate CVE-2026-28915
Immediate Actions Required
- Update affected systems to macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, or macOS Tahoe 26.5 without delay.
- Restrict installation of applications from untrusted sources by enforcing Gatekeeper and notarization requirements.
- Audit administrative accounts and remove unnecessary local privileges to reduce blast radius if exploitation succeeds.
Patch Information
Apple released patches in macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, and macOS Tahoe 26.5. The fix introduces improved path validation in the affected component. Patch details are available in Apple Support Document #127115, Apple Support Document #127116, and Apple Support Document #127117.
Workarounds
- No vendor-supplied workaround exists. Patching is the only complete remediation.
- As a compensating control, limit execution of unsigned or non-notarized applications via MDM configuration profiles.
- Enable System Integrity Protection (SIP) and ensure it remains active on all managed endpoints.
# Verify current macOS version and update status
sw_vers
softwareupdate --list
softwareupdate --install --all --restart
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
