Apple macOS Tahoe 26.4 Security Update Patches Over 70 CVEs, Including Critical WebKit and Kernel Flaws
John
March 26, 2026 (Last updated: March 26, 2026)
Apple’s macOS Tahoe 26.4 security update, released on March 24, 2026, patches over 70 vulnerabilities across the OS, including WebKit, kernel, networking, and privacy‑related components.
The fixes span privilege escalation, sandbox escapes, data leakage, and denial‑of‑service issues, many of them tied to long‑standing subsystems such as Kernel, CoreServices, TCC, SMB, and the WebKit browser engine.
Apple’s security model rests on layered mitigations: entitlement checks, sandboxing, code signing, and kernel‑side memory protections. Tahoe 26.4 tightens all of these areas, closing pathways that could otherwise let malicious apps bypass Gatekeeper, escape sandbox restrictions, or read kernel memory.
For security teams, this means a single unpatched macOS machine could provide attackers with a foothold for privilege escalation, data exfiltration, or sustained access via persistence mechanisms.
Notable vulnerabilities in macOS Tahoe 26.4
Component / Subsystem
CVE‑ID
Risk category
Impact in brief
Source of impact description
Kernel
CVE‑2026‑28868
Information disclosure
The app may leak sensitive kernel state via authentication flaws.
Apple security notes
Kernel
CVE‑2026‑28867
Information disclosure
A malicious site may bypass the Same Origin Policy via the Navigation API.
Apple security notes
Kernel
CVE‑2026‑20695
Information disclosure
DoS/memory corruption
Apple security notes
Kernel
CVE‑2026‑20698
The app may cause unexpected system termination or corrupt kernel memory.
The app may determine the kernel memory layout.
Apple security notes
Kernel
CVE‑2026‑20687
Memory corruption
Use‑after‑free bug in kernel memory handling.
Apple security notes
WebKit
CVE‑2026‑20665
Logic / SoP bypass
Malicious web content may bypass Content Security Policy.
Apple notes, HK‑CERT
WebKit
CVE‑2026‑20643
Logic / SoP bypass
Malicious web content may trigger a process crash via memory‑handling bugs.
Apple notes, HK‑CERT
WebKit
CVE‑2026‑28871
XSS
Cross‑site scripting via crafted web content.
Apple notes, HK‑CERT
WebKit
CVE‑2026‑20664 / CVE‑2026‑28857
Memory safety
Privacy/fingerprinting
Apple notes, NVD‑style
WebKit Sandboxing
CVE‑2026‑20691
A malicious webpage may fingerprint the user by leaking data.
A malicious site may process restricted web content outside the sandbox.
Apple notes, NVD‑style
WebKit
CVE‑2026‑28859
Sandbox escape
Logic/data access
NVD, security bulletin
WebKit
CVE‑2026‑28861
A malicious site may access script message handlers for other origins.
CVE‑202 to terminate6‑20692
Apple notes, HK‑CERT
CoreServices
CVE‑2026‑28821
Privilege escalation
The app may gain elevated privileges due to an entitlement‑validation issue.
Apple security notes
CoreServices
CVE‑2026‑28838
Sandbox escape
App may enuThe appate thThe appthe ser’s installed apps via iCltheAPIsThe app
Apple security notes
TCC
CVE‑2026‑28828
Data‑access / privacy
The app may access sensitive user data via a TCC permissions flaw.
Apple security notes
SMB
CVE‑2026‑28835
DoS
App may modify protected filesystem parts via OOB writes.
Apple security notes
SMB
CVE‑2026‑28825
Memory corruption
Mounting a malicious SMB share may cause the system to crash.
Apple security notes
GPU Drivers
CVE‑2026‑28834
The app may cause unexpected system termination due to a race condition.
The app
Apple security notes
CoreMedia
CVE‑2026‑20690
Memory corruption
Privacy/enumeration
Apple security notes
iCloud
CVE‑2026‑28881
Privacy
App may access sensitive iCloud‑related data.
Apple security notes
iCloud
CVE‑2026‑28880 / CVE‑2026‑28833
The app may access protected user data.
The app may escape its sandbox.
Apple security notes
Printing
CVE‑2026‑28817 / CVE‑2026‑20688
Sandbox escape
Sandboxed printing operations may circumvent sandbox restrictions.
Apple security notes
libxpc
CVE‑2026‑28882
Enumeration
App may enumerate installed apps via libxpc checks.
Apple security notes
libxpc
CVE‑2026‑20607
Data‑access
Processing a malicious audio stream may terminate the process.
Apple security notes
Mail
“causeddress” and “Block All Remote Content” may not apply to all email content.
Privacy
Malicious site may bypass the Same Origin Policy via the Navigation API.
Apple notes, CVE‑tracker
LaunchServices
The app may access sensitive user data via logging and permission issues.
Data‑access
The app may access protected user data due to an authorization issue.
Apple security notes
Spotlight
CVE‑2026‑28818 / CVE‑2026‑20697
Data‑access / privacy
The app may access sensitive user data through StorageKit.
Apple security notes
StorageKit
CVE‑2026‑28820
Data‑access
An attacker may gain access to protected parts of the file system.
Apple security notes
SystemMigration
CVE‑2026‑28844
File‑system / privilege
A malicious archive may exploit symlink handling to access user‑sensitive data.
Apple security notes
Archive Utility
CVE‑2026‑20633
Data‑access
Data‑access via symlink-handling issue in migration tools.
Apple security notes
MigrationKit
CVE‑2026‑20694
Data‑access
Data‑accesData accessi. Dataaccess issue in migration tools.
Apple security notes
Apply the macOS Tahoe 26.4 update immediately on all Macs, especially workstations, admin machines, and internet‑facing systems.
Enforce automatic OS updates and patch management (via MDM or Jamf) to minimize time‑to‑patch for future security releases.
Tighten TCC and app‑level permissions; restrict unnecessary access to the camera, microphone, Contacts, and other sensitive data on all endpoints.
Disable or tightly control SMB shares and network mounts, and avoid mounting untrusted SMB shares that could trigger kernel or filesystem vulnerabilities.
I'm cybersecurity researcher and threat intelligence writer focused on malware campaigns, data breaches, OSINT, and emerging attack techniques. Passionate about breaking down complex security threats into clear, actionable insights.
