CVE-2026-28923 Overview
CVE-2026-28923 is a sandbox escape vulnerability in Apple macOS caused by insufficient redaction of sensitive data written to system logs. A malicious application running within the macOS sandbox can read this logged data and use it to break out of its sandbox boundary. Apple addressed the issue with improved data redaction in macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, and macOS Tahoe 26.5. The flaw is tracked under CWE-532 (Insertion of Sensitive Information into Log File) and requires local access with low privileges.
Critical Impact
A sandboxed application can escape its security boundary and gain access to resources outside the sandbox, leading to high impact on confidentiality, integrity, and availability across the system.
Affected Products
- Apple macOS Sequoia prior to 15.7.7
- Apple macOS Sonoma prior to 14.8.7
- Apple macOS Tahoe prior to 26.5
Discovery Timeline
- 2026-05-11 - CVE-2026-28923 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-28923
Vulnerability Analysis
The vulnerability stems from a logging component that writes sensitive information to system logs without applying adequate redaction. Sandboxed applications on macOS run under restricted entitlements that limit access to user data, system resources, and inter-process communication channels. However, log records on macOS are accessible to processes with relatively low privileges through the unified logging subsystem.
When sensitive material is recorded in plaintext within these logs, a malicious sandboxed application can query the log stream to recover data it would otherwise be denied. This data can include tokens, identifiers, paths, or other artifacts that enable the attacker to construct a sandbox escape. The result is a scope change: code that started in a restricted context gains influence over resources owned by other components.
Root Cause
The root cause is improper data redaction in macOS logging routines, mapped to [CWE-532]. System components emitted private values into log entries without marking them as private or otherwise sanitizing the output. The fix introduces stronger redaction so that sensitive fields no longer appear in retrievable form.
Attack Vector
Exploitation requires local code execution as a sandboxed or low-privileged user. No user interaction is needed. The attacker delivers a malicious application through standard distribution channels, such as a sideloaded binary or a trojanized app. Once executed, the application reads the logs, extracts the leaked data, and uses it to perform actions outside its sandbox profile.
No verified proof-of-concept code is publicly available for this issue. The vulnerability mechanism is described in the Apple Support Article #127115, Apple Support Article #127116, and Apple Support Article #127117.
Detection Methods for CVE-2026-28923
Indicators of Compromise
- Sandboxed processes invoking log show, log stream, or calling OSLog APIs to read system log archives outside their normal operational profile.
- Unexpected access to /var/db/diagnostics/ or /var/db/uuidtext/ from user-space applications that lack a diagnostics-related purpose.
- Sandboxed apps spawning child processes or accessing entitlements-protected resources shortly after parsing log content.
Detection Strategies
- Monitor Endpoint Security framework events for ES_EVENT_TYPE_NOTIFY_OPEN on log database paths originating from sandboxed applications.
- Baseline normal log-reading behavior per application and alert on deviations, particularly bulk reads from third-party apps.
- Correlate log access events with subsequent privileged operations, such as XPC connections to system services or writes outside the application container.
Monitoring Recommendations
- Enable telemetry collection from macOS endpoints using EDR agents that surface process, file, and entitlement activity.
- Track installed application versions and macOS build numbers across the fleet to identify hosts still running pre-patch versions.
- Review Gatekeeper and notarization events for newly introduced applications, especially those requesting log or diagnostics access.
How to Mitigate CVE-2026-28923
Immediate Actions Required
- Update affected systems to macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, or macOS Tahoe 26.5 without delay.
- Inventory macOS endpoints and prioritize developer workstations and systems running untrusted third-party applications.
- Restrict installation of unsigned or non-notarized applications through MDM policy until patching is complete.
Patch Information
Apple released fixes that introduce improved data redaction in the affected logging path. Patch details are published in Apple Support Article #127115 for macOS Tahoe 26.5, Apple Support Article #127116 for macOS Sonoma 14.8.7, and Apple Support Article #127117 for macOS Sequoia 15.7.7. Apply the relevant update through Software Update or your MDM platform.
Workarounds
- No vendor-supplied workaround exists. Patching is the only supported remediation.
- Limit local user privileges and enforce application allowlisting to reduce the likelihood of a malicious sandboxed app executing.
- Disable or restrict access to diagnostic log archives for non-administrative users where operationally feasible.
# Verify macOS build to confirm the patch is applied
sw_vers -productVersion
softwareupdate --list
sudo softwareupdate -i -a -R
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
