






















-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-03-24-2026-4 macOS Sequoia 15.7.5 macOS Sequoia 15.7.5 addresses the following issues. Information about the security content is also available at https://support.apple.com/126795. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. 802.1X Available for: macOS Sequoia Impact: An attacker in a privileged network position may be able to intercept network traffic Description: An authentication issue was addressed with improved state management. CVE-2026-28865: Héloïse Gollier and Mathy Vanhoef (KU Leuven) Accounts Available for: macOS Sequoia Impact: An app may be able to access sensitive user data Description: An authorization issue was addressed with improved state management. CVE-2026-28877: Rosyna Keller of Totally Not Malicious Software apache Available for: macOS Sequoia Impact: Multiple issues in Apache Description: This is a vulnerability in open source code and Apple Software is among the affected projects. The CVE-ID was assigned by a third party. Learn more about the issue and CVE-ID at cve.org. CVE-2025-55753 CVE-2025-58098 CVE-2025-59775 CVE-2025-65082 CVE-2025-66200 AppleKeyStore Available for: macOS Sequoia Impact: An app may be able to cause unexpected system termination Description: A use after free issue was addressed with improved memory management. CVE-2026-20637: Johnny Franks (zeroxjf), an anonymous researcher AppleMobileFileIntegrity Available for: macOS Sequoia Impact: An app may be able to access sensitive user data Description: An authorization issue was addressed with improved state management. CVE-2026-28824: Mickey Jin (@patch1t) AppleMobileFileIntegrity Available for: macOS Sequoia Impact: An app may be able to access user-sensitive data Description: A downgrade issue affecting Intel-based Mac computers was addressed with additional code-signing restrictions. CVE-2026-20699: Mickey Jin (@patch1t) Audio Available for: macOS Sequoia Impact: Processing maliciously crafted web content may lead to an unexpected process crash Description: A use-after-free issue was addressed with improved memory management. CVE-2026-28879: Justin Cohen of Google Audio Available for: macOS Sequoia Impact: An attacker may be able to cause unexpected app termination Description: A type confusion issue was addressed with improved memory handling. CVE-2026-28822: Jex Amro Calling Framework Available for: macOS Sequoia Impact: A remote attacker may be able to cause a denial-of-service Description: A denial-of-service issue was addressed with improved input validation. CVE-2026-28894: an anonymous researcher CFNetwork Available for: macOS Sequoia Impact: A remote user may be able to write arbitrary files Description: A path handling issue was addressed with improved logic. CVE-2026-20660: Amy (amys.website) Clipboard Available for: macOS Sequoia Impact: An app may be able to access sensitive user data Description: This issue was addressed with improved validation of symlinks. CVE-2026-28866: Cristian Dinca (icmd.tech) configd Available for: macOS Sequoia Impact: Processing a maliciously crafted string may lead to heap corruption Description: An integer overflow was addressed with improved input validation. CVE-2026-20639: @cloudlldb of @pixiepointsec CoreMedia Available for: macOS Sequoia Impact: Processing an audio stream in a maliciously crafted media file may terminate the process Description: An out-of-bounds access issue was addressed with improved bounds checking. CVE-2026-20690: Hossein Lotfi (@hosselot) of Trend Micro Zero Day Initiative CoreServices Available for: macOS Sequoia Impact: An app may be able to gain elevated privileges Description: A validation issue existed in the entitlement verification. This issue was addressed with improved validation of the process entitlement. CVE-2026-28821: YingQi Shi (@Mas0nShi) of DBAppSecurity's WeBin lab CoreServices Available for: macOS Sequoia Impact: An app may be able to break out of its sandbox Description: A permissions issue was addressed with additional sandbox restrictions. CVE-2026-28838: an anonymous researcher CoreUtils Available for: macOS Sequoia Impact: A user in a privileged network position may be able to cause a denial-of-service Description: A null pointer dereference was addressed with improved input validation. CVE-2026-28886: Etienne Charron (Renault) and Victoria Martini (Renault) CUPS Available for: macOS Sequoia Impact: An app may be able to gain root privileges Description: A race condition was addressed with improved state handling. CVE-2026-28888: Andreas Jaegersberger & Ro Achterberg of Nosebeard Labs curl Available for: macOS Sequoia Impact: An issue existed in curl which may result in unintentionally sending sensitive information via an incorrect connection Description: This is a vulnerability in open source code and Apple Software is among the affected projects. The CVE-ID was assigned by a third party. Learn more about the issue and CVE-ID at cve.org. CVE-2025-14524 DesktopServices Available for: macOS Sequoia Impact: An app may be able to access user-sensitive data Description: This issue was addressed with improved handling of symlinks. CVE-2026-20633: Mickey Jin (@patch1t) DeviceLink Available for: macOS Sequoia Impact: An app may be able to access sensitive user data Description: A parsing issue in the handling of directory paths was addressed with improved path validation. CVE-2026-28876: Andreas Jaegersberger & Ro Achterberg of Nosebeard Labs Diagnostics Available for: macOS Sequoia Impact: An app may be able to modify protected parts of the file system Description: A permissions issue was addressed by removing the vulnerable code. CVE-2026-28892: 风沐云烟 (@binary_fmyy) and Minghao Lin (@Y1nKoc) File System Available for: macOS Sequoia Impact: An app may be able to disclose kernel memory Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2026-28832: DARKNAVY (@DarkNavyOrg) Focus Available for: macOS Sequoia Impact: An app may be able to access sensitive user data Description: A logging issue was addressed with improved data redaction. CVE-2026-20668: Kirin (@Pwnrin) GPU Drivers Available for: macOS Sequoia Impact: An app may be able to cause unexpected system termination Description: A race condition was addressed with improved state handling. CVE-2026-28834: an anonymous researcher iCloud Available for: macOS Sequoia Impact: An app may be able to enumerate a user's installed apps Description: A permissions issue was addressed with additional restrictions. CVE-2026-28880: Zhongcheng Li from IES Red Team ImageIO Available for: macOS Sequoia Impact: Processing a maliciously crafted file may lead to unexpected app termination Description: This is a vulnerability in open source code and Apple Software is among the affected projects. The CVE-ID was assigned by a third party. Learn more about the issue and CVE-ID at cve.org. CVE-2025-64505 Kernel Available for: macOS Sequoia Impact: An app may be able to disclose kernel memory Description: A logging issue was addressed with improved data redaction. CVE-2026-28868: 이동하 (Lee Dong Ha of BoB 0xB6) Kernel Available for: macOS Sequoia Impact: An app may be able to leak sensitive kernel state Description: This issue was addressed with improved authentication. CVE-2026-28867: Jian Lee (@speedyfriend433) Kernel Available for: macOS Sequoia Impact: An app may be able to determine kernel memory layout Description: An information disclosure issue was addressed with improved memory management. CVE-2026-20695: 이동하 (Lee Dong Ha of BoB 0xB6) working with TrendAI Zero Day Initiative, hari shanmugam Kernel Available for: macOS Sequoia Impact: An app may be able to cause unexpected system termination or write kernel memory Description: A use after free issue was addressed with improved memory management. CVE-2026-20687: Johnny Franks (@zeroxjf) Kernel Available for: macOS Sequoia Impact: An app may be able to modify protected parts of the file system Description: A permissions issue was addressed with additional restrictions. CVE-2026-28829: Sreejith Krishnan R libxpc Available for: macOS Sequoia Impact: An app may be able to access protected user data Description: A permissions issue was addressed with additional restrictions. CVE-2026-20607: an anonymous researcher Mail Available for: macOS Sequoia Impact: "Hide IP Address" and "Block All Remote Content" may not apply to all mail content Description: A privacy issue was addressed with improved handling of user preferences. CVE-2026-20692: Andreas Jaegersberger & Ro Achterberg of Nosebeard Labs mDNSResponder Available for: macOS Sequoia Impact: An app may be able to leak sensitive kernel state Description: This issue was addressed with improved authentication. CVE-2026-28867: Jian Lee (@speedyfriend433) Messages Available for: macOS Sequoia Impact: An app may be able to access sensitive user data Description: A privacy issue was addressed with improved handling of temporary files. CVE-2026-20651: Chunyu Song of NorthSea MigrationKit Available for: macOS Sequoia Impact: An app may be able to access user-sensitive data Description: This issue was addressed with improved handling of symlinks. CVE-2026-20694: Rodolphe Brunetti (@eisw0lf) of Lupus Nova NetAuth Available for: macOS Sequoia Impact: An app may be able to break out of its sandbox Description: A race condition was addressed with additional validation. CVE-2026-28891: an anonymous researcher NetAuth Available for: macOS Sequoia Impact: An app may be able to connect to a network share without user consent Description: An access issue was addressed with additional sandbox restrictions. CVE-2026-20701: Matej Moravec (@MacejkoMoravec) NetAuth Available for: macOS Sequoia Impact: An app may be able to access sensitive user data Description: The issue was addressed with improved checks. CVE-2026-28839: Mickey Jin (@patch1t) NetFSFramework Available for: macOS Sequoia Impact: An app may be able to break out of its sandbox Description: A parsing issue in the handling of directory paths was addressed with improved path validation. CVE-2026-28827: Csaba Fitzl (@theevilbit) of Iru, an anonymous researcher Notes Available for: macOS Sequoia Impact: An app may be able to delete files for which it does not have permission Description: A path handling issue was addressed with improved validation. CVE-2026-28816: Dawuge of Shuffle Team and Hunan University PackageKit Available for: macOS Sequoia Impact: An attacker with root privileges may be able to delete protected system files Description: This issue was addressed through improved state management. CVE-2026-20693: Mickey Jin (@patch1t) Phone Available for: macOS Sequoia Impact: An app may be able to access user-sensitive data Description: A privacy issue was addressed with improved private data redaction for log entries. CVE-2026-28862: Kun Peeks (@SwayZGl1tZyyy) Printing Available for: macOS Sequoia Impact: An app may be able to access sensitive user data Description: An authorization issue was addressed with improved state management. CVE-2026-28831: an anonymous researcher Printing Available for: macOS Sequoia Impact: A sandboxed process may be able to circumvent sandbox restrictions Description: A race condition was addressed with improved state handling. CVE-2026-28817: Gyujeong Jin (@G1uN4sh) at Team.0xb6 Printing Available for: macOS Sequoia Impact: An app may be able to break out of its sandbox Description: A path handling issue was addressed with improved validation. CVE-2026-20688: wdszzml and Atuin Automated Vulnerability Discovery Engine Security Available for: macOS Sequoia Impact: A local attacker may gain access to user's Keychain items Description: This issue was addressed with improved permissions checking. CVE-2026-28864: Alex Radocea SMB Available for: macOS Sequoia Impact: Mounting a maliciously crafted SMB network share may lead to system termination Description: A use-after-free issue was addressed with improved memory management. CVE-2026-28835: Christian Kohlschütter SMB Available for: macOS Sequoia Impact: An app may be able to modify protected parts of the file system Description: An out-of-bounds write issue was addressed with improved bounds checking. CVE-2026-28825: Sreejith Krishnan R Spotlight Available for: macOS Sequoia Impact: An app may be able to access user-sensitive data Description: A downgrade issue affecting Intel-based Mac computers was addressed with additional code-signing restrictions. CVE-2026-20699: Mickey Jin (@patch1t) Spotlight Available for: macOS Sequoia Impact: An app may be able to access sensitive user data Description: A logging issue was addressed with improved data redaction. CVE-2026-28818: @pixiepointsec Spotlight Available for: macOS Sequoia Impact: An app may be able to access sensitive user data Description: A permissions issue was addressed with additional restrictions. CVE-2026-20697: @pixiepointsec TCC Available for: macOS Sequoia Impact: An app may be able to access sensitive user data Description: A permissions issue was addressed by removing the vulnerable code. CVE-2026-28828: Mickey Jin (@patch1t) UIFoundation Available for: macOS Sequoia Impact: An app may be able to cause a denial-of-service Description: A stack overflow was addressed with improved input validation. CVE-2026-28852: Caspian Tarafdar Vision Available for: macOS Sequoia Impact: Parsing a maliciously crafted file may lead to an unexpected app termination Description: The issue was addressed with improved memory handling. CVE-2026-20657: Andrew Becker WebDAV Available for: macOS Sequoia Impact: An app may be able to modify protected parts of the file system Description: A permissions issue was addressed with additional restrictions. CVE-2026-28829: Sreejith Krishnan R Additional recognition Admin Framework We would like to acknowledge Sota Toyokura for their assistance. CoreServices We would like to acknowledge YingQi Shi (@Mas0nShi) of DBAppSecurity's WeBin lab, Fein, Iccccc & Ziiiro for their assistance. IOGPUFamily We would like to acknowledge Wang Yu of Cyberserval for their assistance. Kernel We would like to acknowledge Xinru Chi of Pangu Lab for their assistance. Notes We would like to acknowledge Dawuge of Shuffle Team and Hunan University for their assistance. ppp We would like to acknowledge Dave G. for their assistance. Shortcuts We would like to acknowledge Waleed Barakat (@WilDN00B) and Paul Montgomery (@nullevent) for their assistance. macOS Sequoia 15.7.5 may be obtained from the Mac App Store or Apple's Software Downloads web site: https://support.apple.com/downloads/ All information is also posted on the Apple Security Releases web site: https://support.apple.com/100100. This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEhjkl+zMLNwFiCT1o4Ifiq8DH7PUFAmnDIvQACgkQ4Ifiq8DH 7PUFaQ/+NTpgKxb9vm31Oh8/tOl2Km6SqC9MhPmjjhB3RwJ8wBBmiLjPqtio25TU ZbKrH73Y7C6+unmfMwaRD5TR4YCV7eXlqWWqsAJelfFhDfuNgaLGZ+9A2teRLC7F eq5i5SK4xu7JDzHNUrXTPwups4w3L9de5cPMBghsrrq6QgaTbQDrxkCrB7Jrhsah QrZMWQk/aBR6qd9vLyGM/pzooVkTa7fM/Lqaio0TxvPZZlHxdK7zId6hwPuj1+lW xNEPHZmnG1kEFLTqC91KWf28OWBlzR/TlFYmaFBzwdHwQn4/JhCKOAI9ECUWAdZO GhtanYLmsdOvQ4odObzLhN62ZlvkiEroqbNXWoVWiiUsNoeSJbIFrkBeAW1Mo2P7 qGVa8OqHHgtckNt++r0RuUpDG0nbseebSc7DD8x3SD7RT5Ds5Igcr2fQYvn9EywV y2a8je6FJoIVRitoRo/6K/6GgbQJucn8GeYn7WQrWJ4JyLoPzObi3juvISJceyqA GKinWdGs/03Ffs+17dcfLWHjAYrt2+Lujz2wm4uvR/4pazA2ZkpylL1GayLlj8WF gfTlLECKvc8oIFjKKLdFZRsugr/exHg10eKQifzABnb03pHYUXJeELtx63AqgvHv xJVxO5Z5d+WcSuUaBZTLTokpY6y06pzJOzI8AdEzVXnvgkjG/ho= =Sf6B -----END PGP SIGNATURE----- _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。