CVE-2026-28817

Description

A race condition was addressed with improved state handling. This issue is fixed in macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4. A sandboxed process may be able to circumvent sandbox restrictions.

CVSS Details

CVSS Score

8.1

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:* - VULNERABLE

macOS Sequoia < 15.7.5

macOS Sonoma < 14.8.5

macOS Tahoe < 26.4

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import os
import threading
import time

# Conceptual PoC for Race Condition in Sandbox State Handling
# This script simulates a TOCTOU (Time-of-Check to Time-of-Use) race condition
# attempting to access a protected resource before the sandbox restricts it.

class SandboxEscapeExploit(threading.Thread):
    def __init__(self):
        super(SandboxEscapeExploit, self).__init__()
        self.running = True
        self.exploit_success = False

    def run(self):
        # Thread 1: Continuously check and attempt to access protected resource
        while self.running:
            try:
                # Simulate accessing a file that should be blocked by sandbox
                # In a real exploit, this would be a specific syscall sequence
                with open('/private/var/log/system.log', 'r') as f:
                    content = f.read()
                    if content:
                        print("[+] Sandbox bypass detected! Read protected file.")
                        self.exploit_success = True
                        self.running = False
                        break
            except PermissionError:
                # Expected if sandbox is working correctly
                pass
            except IOError:
                pass

    def stop(self):
        self.running = False

def trigger_race_condition():
    # Thread 2: Attempt to manipulate state or timing
    # This simulates the triggering of the race condition
    print("[*] Attempting to trigger race condition in state handling...")
    time.sleep(0.001) 

if __name__ == "__main__":
    print("[*] Starting CVE-2026-28817 PoC Simulation...")
    exploit_thread = SandboxEscapeExploit()
    exploit_thread.start()

    # Loop to trigger the race condition alongside the checking thread
    for _ in range(1000):
        trigger_race_condition()
        if not exploit_thread.running:
            break

    exploit_thread.stop()
    exploit_thread.join()

    if exploit_thread.exploit_success:
        print("[+] Exploit successful: Sandbox restrictions bypassed.")
    else:
        print("[-] Exploit failed: Sandbox held firm.")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-28817
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-28817
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-28817/
[4] VulDB https://vuldb.com/cve/CVE-2026-28817
[5] https://support.apple.com/en-us/126794
[6] https://support.apple.com/en-us/126795
[7] https://support.apple.com/en-us/126796

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-28817", "sourceIdentifier": "[email protected]", "published": "2026-03-25T01:17:06.980", "lastModified": "2026-03-25T20:52:51.803", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A race condition was addressed with improved state handling. This issue is fixed in macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4. A sandboxed process may be able to circumvent sandbox restrictions."}, {"lang": "es", "value": "Una condición de carrera se abordó con una gestión de estado mejorada. Este problema se corrigió en macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4. Un proceso en sandbox podría eludir las restricciones del sandbox."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.4, "impactScore": 6.0}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-362"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*", "versionStartIncluding": "14.0", "versionEndExcluding": "14.8.5", "matchCriteriaId": "D66288AF-23BD-407A-81F5-F1DFBF84C622"}, {"vulnerable": true, "criteria": "cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*", "versionStartIncluding": "15.0", "versionEndExcluding": "15.7.5", "matchCriteriaId": "DD21D2C9-BBEC-4E8E-B8D2-C92B7E6155E1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*", "versionStartIncluding": "26.0", "versionEndExcluding": "26.4", "matchCriteriaId": "6CF848CD-25D4-4371-BEF3-1ACCE47AD81F"}]}]}], "references": [{"url": "https://support.apple.com/en-us/126794", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}, {"url": "https://support.apple.com/en-us/126795", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}, {"url": "https://support.apple.com/en-us/126796", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}]}}