CVE-2026-28924
Race Condition in macOS Contacts Access
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: Apple Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apple | macos_sequoia | 15.7.7 |
| apple | macos_sonoma | 14.8.7 |
| apple | macos_tahoe | 26.5 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update your macOS system to one of the fixed versions: macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, or macOS Tahoe 26.5.
Can you explain this vulnerability to me?
This vulnerability is a race condition related to the handling of symbolic links in certain versions of macOS. Due to this issue, an application may be able to access the user's Contacts without obtaining their consent.
How can this vulnerability impact me? :
The vulnerability could allow an application to access your Contacts data without your permission, potentially exposing your personal or sensitive contact information to unauthorized apps.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an app to access Contacts without user consent due to a race condition involving symbolic link handling.
Unauthorized access to personal contact information could potentially lead to violations of privacy regulations such as GDPR and HIPAA, which require explicit user consent and protection of personal data.
Therefore, this issue may impact compliance with these standards by undermining user consent mechanisms and exposing sensitive personal information.