macOS Unauthorized Contact Access via Symbolic Link Race (fixed 15.7.7/14.8.7/26.5)
CVE-2026-28924 Published on May 11, 2026
A race condition was addressed with improved handling of symbolic links. This issue is fixed in macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5. An app may be able to access Contacts without user consent.
Vulnerability Analysis
CVE-2026-28924 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.
Weakness Type
What is a Race Condition Vulnerability?
The program contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.
CVE-2026-28924 has been classified to as a Race Condition vulnerability or weakness.
Products Associated with CVE-2026-28924
stack.watch emails you whenever new vulnerabilities are published in Apple macOS or Apple Macos Sonoma. Just hit a watch button to start following.
Affected Versions
Apple macOS:- Before 14.8.7 is affected.
- Before 15.7.7 is affected.
- Before 26.5 is affected.