CVE-2026-28952: Apple macOS 26.5 Kernel Vuln found by Claude

fosterfriends

Kernel Available for: macOS Tahoe Impact: An app may be able to cause unexpected system termination Description: An integer overflow was addressed with improved input validation. CVE-2026-28952: Calif.io in collaboration with Claude and Anthropic Research

Gigachad

It's funny how in the past a server uptime used to be a kind of badge of honor, while now a computer running for more than a week is a massive security risk. I've had to be on top of updating everything constantly lately.

embedding-shape

Claude and Anthropic is mentioned, but not Mythos, I'm guessing this would mean then this was found outside of the whole Mythos thing, or would there be any reason for them not to mention it, if it was involved?

fl1pper

Where all of this is going? Will there be a dedicated servers running coding agents that iterate throught codebases for each company to find vulnerabilities 24/7?

sda2

One more reason to avoid upgrading to Tahoe.

vessenes

For many years my go-to plan has been to stay one point release behind apple's releases, especially the .0 releases -- but, times change. Last night I pushed the button for 26.5, thinking about the Glasswing/Mythos reporting. Seems like staying on bleeding edge is going to be the name of the game. I wonder if this will change general dynamics -- feels like LTS releases could become even more important, at the same time having reduced maintenance costs since you can have some agentic help on backporting.

neuronexmachina

CVEs: * https://nvd.nist.gov/vuln/detail/CVE-2026-28952 * https://nvd.nist.gov/vuln/detail/CVE-2026-28942

Aurornis

More than 26.5: > The affected releases include iOS 18.7.9 and iPadOS 18.7.9, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, and macOS Tahoe 26.5. I’ve already seen a lot of people self-congratulating for not updating to Tahoe but this isn’t exclusive to Tahoe.

three_burgers

CVE-2026-28952 is about an integer overflow due to lack of input validation. I wonder what makes such vulnerability difficult to discover by traditional SAST tools?

ZPrimed

This isn't a 26.5 bug, this is a bug fixed in 26.5.

concinds

I wonder how well Apple has deployed these tools internally for security research. Since mid-April Chrome showed 302 vulnerabilities patched, 225 of them found by Google. Same period last year was 19 vulnerabilities. They've also become more transparent recently, disclosing vulnerabilities found internally, not just externally (which Apple still doesn't appear to do). From the outside, it's hard to tell if Apple has deployed this tooling as much as Google.

dragonsenseiguy

Sidenote but: it's crazy how big this update is. 13 GB is crazy

cryptbe

Oh hey, this is our work! We helped Anthropic analyze and report this bug. For the record, this bug has nothing to do with our recent MIE attack [1] [2], which exploited two different kernel bugs. Our bugs are not fixed yet. [1] https://blog.calif.io/p/first-public-kernel-memory-corruptio... [2] https://news.ycombinator.com/item?id=48139219

maximilianburke

I haven't been able to update my iPhone in months because it just does not have enough room available to download the update. I just checked now and it needs 13.2 GB free to be able to update to iOS 26.5 (from 26.3). On a 64gb device! It just seems like massive software development malpractice to tie together critical operating system updates with whatever else they've bundled.

immanuwell

when multiple independent parties are simultaneously tripping over different holes in the same kernel, that's not bad luck, that's a systemic attack surface problem