About the security content of macOS Sequoia 15.7.7

This document describes the security content of macOS Sequoia 15.7.7.

About Apple security updates

For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security releases page.

Apple security documents reference vulnerabilities by CVE-ID when possible.

For more information about security, see the Apple Product Security page.

macOS Sequoia 15.7.7

APFS

Available for: macOS Sequoia

Impact: An app may be able to cause unexpected system termination

Description: A buffer overflow was addressed with improved bounds checking.

CVE-2026-28959: Dave G.

AppleJPEG

Available for: macOS Sequoia

Impact: Processing a maliciously crafted media file may lead to unexpected app termination or corrupt process memory

Description: A memory corruption issue was addressed with improved input validation.

CVE-2026-28956: impost0r (ret2plt)

Audio

Available for: macOS Sequoia

Impact: Processing an audio stream in a maliciously crafted media file may terminate the process

Description: The issue was addressed with improved memory handling.

CVE-2026-39869: David Ige of Beryllium Security

CoreMedia

Available for: macOS Sequoia

Impact: An app may be able to access private information

Description: This issue was addressed through improved state management.

CVE-2026-28922: Arni Hardarson

Crash Reporter

Available for: macOS Sequoia

Impact: An app may be able to enumerate a user's installed apps

Description: A privacy issue was addressed by removing sensitive data.

CVE-2026-28878: Zhongcheng Li from IES Red Team

CUPS

Available for: macOS Sequoia

Impact: An app may be able to gain root privileges

Description: A parsing issue in the handling of directory paths was addressed with improved path validation.

CVE-2026-28915: Andreas Jaegersberger & Ro Achterberg of Nosebeard Labs

FileProvider

Available for: macOS Sequoia

Impact: An app may be able to access sensitive user data

Description: A race condition was addressed with additional validation.

CVE-2026-43659: Alex Radocea

GPU Drivers

Available for: macOS Sequoia

Impact: A malicious app may be able to break out of its sandbox

Description: A logging issue was addressed with improved data redaction.

CVE-2026-28923: Kun Peeks (@SwayZGl1tZyyy)

HFS

Available for: macOS Sequoia

Impact: An app may be able to cause unexpected system termination or write kernel memory

Description: A buffer overflow was addressed with improved bounds checking.

CVE-2026-28925: Dave G., Aswin Kumar Gokula Kannan

Icons

Available for: macOS Sequoia

Impact: An app may be able to break out of its sandbox

Description: An access issue was addressed with additional sandbox restrictions.

CVE-2025-43524: Csaba Fitzl (@theevilbit) of Iru

ImageIO

Available for: macOS Sequoia

Impact: Processing a maliciously crafted file may lead to unexpected app termination

Description: The issue was addressed with improved bounds checks.

CVE-2026-28977: Suresh Sundaram

ImageIO

Available for: macOS Sequoia

Impact: Processing a maliciously crafted image may corrupt process memory

Description: The issue was addressed with improved memory handling.

CVE-2026-28990: Jiri Ha, Arni Hardarson

Installer

Available for: macOS Sequoia

Impact: A malicious app may be able to break out of its sandbox

Description: A permissions issue was addressed with additional restrictions.

CVE-2026-28978: wdszzml and Atuin Automated Vulnerability Discovery Engine

IOHIDFamily

Available for: macOS Sequoia

Impact: An attacker may be able to cause unexpected app termination

Description: A memory corruption vulnerability was addressed with improved locking.

CVE-2026-28992: Johnny Franks (@zeroxjf)

IOHIDFamily

Available for: macOS Sequoia

Impact: An app may be able to determine kernel memory layout

Description: A logging issue was addressed with improved data redaction.

CVE-2026-28943: Google Threat Analysis Group

IOKit

Available for: macOS Sequoia

Impact: An app may be able to cause unexpected system termination

Description: A use after free issue was addressed with improved memory management.

CVE-2026-28969: Mihalis Haatainen, Ari Hawking, Ashish Kunwar

Kernel

Available for: macOS Sequoia

Impact: An app may be able to disclose kernel memory

Description: The issue was addressed with improved memory handling.

CVE-2026-43654: Vaagn Vardanian, Nathaniel Oh (@calysteon)

Kernel

Available for: macOS Sequoia

Impact: A maliciously crafted disk image may bypass Gatekeeper checks

Description: A file quarantine bypass was addressed with additional checks.

CVE-2026-28954: Yiğit Can YILMAZ (@yilmazcanyigit)

Kernel

Available for: macOS Sequoia

Impact: A local user may be able to cause unexpected system termination or read kernel memory

Description: A buffer overflow was addressed with improved input validation.

CVE-2026-28897: Robert Tran, popku1337, Billy Jheng Bing Jhong and Pan Zhenpeng (@Peterpan0927) of STAR Labs SG Pte. Ltd., Aswin kumar Gokulakannan

Kernel

Available for: macOS Sequoia

Impact: An app may be able to cause unexpected system termination

Description: An integer overflow was addressed with improved input validation.

CVE-2026-28952: Calif.io in collaboration with Claude and Anthropic Research

Kernel

Available for: macOS Sequoia

Impact: An app may be able to modify protected parts of the file system

Description: A denial of service issue was addressed by removing the vulnerable code.

CVE-2026-28908: beist

Kernel

Available for: macOS Sequoia

Impact: An app may be able to gain root privileges

Description: An authorization issue was addressed with improved state management.

CVE-2026-28951: Csaba Fitzl (@theevilbit) of Iru

Kernel

Available for: macOS Sequoia

Impact: An app may be able to cause unexpected system termination or write kernel memory

Description: An out-of-bounds write issue was addressed with improved input validation.

CVE-2026-28972: Billy Jheng Bing Jhong and Pan Zhenpeng (@Peterpan0927) of STAR Labs SG Pte. Ltd., Ryan Hileman via Xint Code (xint.io)

Kernel

Available for: macOS Sequoia

Impact: An app may be able to cause unexpected system termination

Description: A race condition was addressed with additional validation.

CVE-2026-28986: Tristan Madani (@TristanInSec) from Talence Security, Ryan Hileman via Xint Code (xint.io), Chris Betz

Kernel

Available for: macOS Sequoia

Impact: An app may be able to leak sensitive kernel state

Description: A logging issue was addressed with improved data redaction.

CVE-2026-28987: Dhiyanesh Selvaraj (@redroot97)

Mail Drafts

Available for: macOS Sequoia

Impact: Replying to an email could display remote images in Mail in Lockdown Mode

Description: A logic issue was addressed with improved checks.

CVE-2026-28929: Yiğit Can YILMAZ (@yilmazcanyigit)

mDNSResponder

Available for: macOS Sequoia

Impact: A remote attacker may be able to cause unexpected system termination or corrupt kernel memory

Description: A use after free issue was addressed with improved memory management.

CVE-2026-43668: Ricardo Prado, Anton Pakhunov

mDNSResponder

Available for: macOS Sequoia

Impact: An attacker on the local network may be able to cause a denial-of-service

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2026-43666: Ian van der Wurff (ian.nl)

Model I/O

Available for: macOS Sequoia

Impact: Processing a maliciously crafted image may corrupt process memory

Description: The issue was addressed with improved memory handling.

CVE-2026-28940: Michael DePlante (@izobashi) of TrendAI Zero Day Initiative

Model I/O

Available for: macOS Sequoia

Impact: Processing a maliciously crafted file may lead to a denial-of-service or potentially disclose memory contents

Description: The issue was addressed with improved checks.

CVE-2026-28941: Michael DePlante (@izobashi) of TrendAI Zero Day Initiative

Networking

Available for: macOS Sequoia

Impact: An attacker may be able to track users through their IP address

Description: This issue was addressed through improved state management.

CVE-2026-28906: Ilya Sc. Jowell A.

PackageKit

Available for: macOS Sequoia

Impact: An app may be able to gain root privileges

Description: A permissions issue was addressed with additional restrictions.

CVE-2026-28840: Morris Richman (@morrisinlife), Andrei Dodu

Quick Look

Available for: macOS Sequoia

Impact: Parsing a maliciously crafted file may lead to an unexpected app termination

Description: An out-of-bounds write issue was addressed with improved input validation.

CVE-2026-43656: Peter Malone

SceneKit

Available for: macOS Sequoia

Impact: Processing a maliciously crafted image may corrupt process memory

Description: The issue was addressed with improved memory handling.

CVE-2026-39870: Peter Malone

SceneKit

Available for: macOS Sequoia

Impact: A remote attacker may be able to cause unexpected app termination

Description: A buffer overflow was addressed with improved bounds checking.

CVE-2026-28846: Peter Malone

Shortcuts

Available for: macOS Sequoia

Impact: An app may be able to access user-sensitive data

Description: This issue was addressed by adding an additional prompt for user consent.

CVE-2026-28993: Doron Assness

SMB

Available for: macOS Sequoia

Impact: A remote attacker may be able to cause unexpected system termination

Description: A buffer overflow was addressed with improved bounds checking.

CVE-2026-28848: Peter Malone, Dave G. and Alex Radocea of Supernetworks

Spotlight

Available for: macOS Sequoia

Impact: An app may be able to cause a denial-of-service

Description: This issue was addressed with improved checks to prevent unauthorized actions.

CVE-2026-28974: Andy Koo (@andykoo) of Hexens

Storage

Available for: macOS Sequoia

Impact: An app may be able to access sensitive user data

Description: A race condition was addressed with additional validation.

CVE-2026-28996: Alex Radocea

StorageKit

Available for: macOS Sequoia

Impact: An app may be able to gain root privileges

Description: A consistency issue was addressed with improved state handling.

CVE-2026-28919: Amy (amys.website)

Sync Services

Available for: macOS Sequoia

Impact: An app may be able to access Contacts without user consent

Description: A race condition was addressed with improved handling of symbolic links.

CVE-2026-28924: YingQi Shi (@Mas0nShi) of DBAppSecurity's WeBin lab, Andreas Jaegersberger & Ro Achterberg of Nosebeard Labs

TV App

Available for: macOS Sequoia

Impact: An app may be able to observe unprotected user data

Description: A path handling issue was addressed with improved logic.

CVE-2026-39871: an anonymous researcher

Wi-Fi

Available for: macOS Sequoia

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2026-28819: Wang Yu

Wi-Fi

Available for: macOS Sequoia

Impact: An attacker in a privileged network position may be able to perform denial-of-service attack using crafted Wi-Fi packets

Description: A use after free issue was addressed with improved memory management.

CVE-2026-28994: Alex Radocea

zlib

Available for: macOS Sequoia

Impact: Visiting a maliciously crafted website may leak sensitive data

Description: An information leakage was addressed with additional validation.

CVE-2026-28920: Brendon Tiszka of Google Project Zero

Additional recognition

Kernel

We would like to acknowledge Ryan Hileman via Xint Code (xint.io) for their assistance.

Location

We would like to acknowledge Kun Peeks (@SwayZGl1tZyyy) for their assistance.

OpenSSH

We would like to acknowledge Anand Patil for their assistance.