CVE-2026-49269 Overview
CVE-2026-49269 is an information disclosure vulnerability affecting Apple M1 GPU hardware. The GPU retains register file data between compute shader dispatches issued by different processes. A sandboxed Metal application can run a reader shader that recovers stale register values written by a separate sandboxed victim application. The flaw breaks process isolation at the GPU hardware layer and bypasses standard application sandbox boundaries. Apple has indicated that the issue affects only legacy hardware and has been addressed at the hardware level in current-generation Apple Silicon. The weakness is classified as [CWE-200] Exposure of Sensitive Information to an Unauthorized Actor.
Critical Impact
A sandboxed attacker app can extract cryptographic secrets from a separate sandboxed victim app by reading stale GPU register state between Metal compute dispatches.
Affected Products
- Apple M1 GPU (legacy Apple Silicon)
- macOS systems using the Metal compute API on M1 hardware
- Sandboxed applications relying on GPU process isolation
Discovery Timeline
- 2026-06-24 - CVE-2026-49269 published to NVD
- 2026-06-25 - Last updated in NVD database
Technical Details for CVE-2026-49269
Vulnerability Analysis
The Apple M1 GPU does not clear its register file between compute shader dispatches originating from different host processes. When a victim process completes a Metal compute kernel, the register values it wrote remain resident in GPU general-purpose registers. A subsequent dispatch from an unrelated attacker process can read those uninitialized registers and recover the prior values verbatim.
The published proof of concept demonstrates a full secret recovery primitive. GPUVictim.app generates a 128-bit random value with SecRandomCopyBytes and loads it into GPU registers through a Metal compute shader. GPUAttacker.app then schedules its own compute dispatch and reads back the same registers without initializing them. The attacker recovers the exact 128-bit secret. Both applications run under the standard macOS application sandbox.
Root Cause
The root cause is hardware-level reuse of GPU register file storage across cross-process boundaries. The shader execution units treat uninitialized registers as readable scratch space rather than zeroing or partitioning them between contexts. Operating system process isolation does not extend to GPU register state because the sanitization step is expected at the hardware or driver layer.
Attack Vector
An attacker delivers a malicious sandboxed application to the target system through normal distribution channels. The application uses the Metal API to issue a compute shader that reads from general-purpose registers without first writing to them. By correlating dispatch timing with target activity, the attacker harvests secrets that the victim placed in registers during cryptographic operations, key generation, or other sensitive workloads. No elevated privileges, user interaction, or sandbox escape is required prior to the read. Refer to the GitHub Gist PoC for the Metal shader implementation details.
Detection Methods for CVE-2026-49269
Indicators of Compromise
- Unsigned or untrusted applications loading the Metal framework and issuing compute dispatches without rendering output
- Applications that allocate Metal compute pipelines but produce no visible UI or graphics surface
- Repeated short-lived GPU compute dispatches from background processes immediately after cryptographic activity in another app
- Processes invoking MTLComputeCommandEncoder with shaders that read uninitialized thread-group or register storage
Detection Strategies
- Monitor process telemetry on macOS endpoints for non-graphics applications linking against Metal.framework and MetalPerformanceShaders.framework
- Inspect application bundles for compute-only Metal shader libraries paired with no rendering code paths
- Correlate GPU workload bursts between unrelated sandboxed applications running concurrently
- Flag apps requesting Metal access from background or LaunchAgent contexts without a documented compute use case
Monitoring Recommendations
- Enable endpoint logging for Metal API usage and child process creation tied to GPU command submission
- Track installation of applications outside the Mac App Store on M1 hardware, especially developer-signed or notarized utilities with shader assets
- Alert on co-execution of high-value cryptographic workloads alongside untrusted third-party apps on legacy M1 systems
How to Mitigate CVE-2026-49269
Immediate Actions Required
- Inventory all Apple M1 endpoints and identify systems handling cryptographic keys, password vaults, or other high-value secrets on the GPU
- Restrict installation of untrusted third-party applications on M1 hardware through Mobile Device Management policy
- Migrate sensitive workloads from M1 systems to current-generation Apple Silicon where the issue has been addressed at the hardware level
- Audit in-house Metal compute code to ensure it does not depend on register isolation for confidentiality
Patch Information
The vendor stated that the behavior affects only legacy hardware and has been addressed at the hardware level in current-generation Apple Silicon. No software patch is available for M1 systems. Mitigation on affected hardware requires platform replacement or workload migration. Consult the GitHub Gist PoC for technical context on the affected register behavior.
Workarounds
- Move secret-handling cryptographic operations off the GPU and onto the Secure Enclave or CPU on affected M1 hardware
- Explicitly overwrite GPU registers and thread-group memory with zeros at the end of sensitive compute kernels before releasing the command buffer
- Avoid running untrusted applications concurrently with workloads that place secrets in GPU registers
- Apply Gatekeeper and notarization enforcement to block unsigned Metal-using binaries on legacy M1 fleets
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

