Apple released macOS Tahoe 26.5 on May 11, 2026 with fixes spread across more than twenty subsystems, from the kernel down to the CUPS printing system. The patch that matters most for anyone managing Macs is CVE-2026-28954, a flaw that leaves Gatekeeper unable to do its job.
What CVE-2026-28954 is
Gatekeeper is the barrier that decides whether a downloaded app gets to run. It checks the signature and honors the quarantine attribute macOS attaches to files arriving from the internet. CVE-2026-28954 breaks that check: a maliciously crafted disk image can bypass the quarantine control and, with it, Gatekeeper’s validation. Apple describes it as a file quarantine bypass, addressed by adding extra checks. The report came from Yiğit Can YILMAZ.
In practice an attacker can package code inside a .dmg and get the system to treat it as if it never came from the internet, skipping the warning that normally stops an unnotarized app. That fits campaigns that rely on a victim opening an installer pulled from some random site.
The two kernel bugs in the same release
Tahoe 26.5 carries two more kernel fixes worth applying at the same time:
- CVE-2026-28897, a buffer overflow in the kernel. A local user can cause an unexpected system termination or read kernel memory. Apple fixed it with improved input validation.
- CVE-2026-28972, an out-of-bounds write. An app can cause an unexpected system termination or write kernel memory, which opens the door to corrupting privileged structures. It was also resolved with better input validation.
Reading kernel memory helps defeat address randomization; writing to it is the building block of a privilege escalation. On their own these are serious; chained with another bug they are exactly what a local exploit is after.
Who is affected and what to do
Any Mac running macOS Tahoe is in scope. CVE-2026-28954 matters most on machines where users install software from outside the App Store, since that is where Gatekeeper is the last line before running something questionable. The two kernel bugs need local access, so the risk rises on shared machines or accounts you trust less.
Apple has not reported active exploitation of any of these flaws at the time of release. Even so, Gatekeeper bypasses get reused fast once they are documented, so waiting is a bad idea.
The mitigation is straightforward: update to macOS Tahoe 26.5 from System Settings, General, Software Update. There is no middle setting or flag that stands in for the patch. If you manage a fleet, push the update via MDM and confirm no machine is stuck on an older build.
You can find macOS details and its version history on the macOS page.