On March 24, 2026, Apple shipped a large batch of security updates, and macOS Tahoe 26.4 carries CVE-2026-20698, a bug in the system kernel itself. This is not something an attacker can fire off from a web page or an email. It needs code already running on the machine. Even so, patch it soon, because it touches the most sensitive part of the OS.
What the flaw is
Apple describes it with its usual brevity. The problem sits in the macOS Kernel, and the impact is that “an app may be able to cause unexpected system termination or corrupt kernel memory.” The cause, per the advisory, was poor memory handling, and the fix improved that handling.
In practice a normal app, with no need for root, could feed data to the kernel in a way that made it mishandle that data and read or write where it shouldn’t. The mild outcome is a kernel panic: the machine reboots on its own. The bad outcome is kernel memory corruption, which in skilled hands can become the first link in a privilege-escalation chain. Apple has not published the exact technical detail, and there is no sign of active exploitation, but the pattern is the classic kernel memory bug.
Who is affected
The patch ships with macOS Tahoe 26.4. The same day, Apple released updates for the older branches it still supports, macOS Sequoia 15.7.5 and macOS Sonoma 14.8.5, as part of a batch that closes more than 70 CVEs in total. Among the more serious in that batch are an authorization flaw in PackageKit that granted root access (CVE-2026-28840), a broken entitlement check in CoreServices (CVE-2026-28821), and a race condition in CUPS (CVE-2026-28888).
If you run a current Mac, this applies to you. The flaw lives in the kernel, so it doesn’t depend on having any particular Apple app installed. It’s the core of the system.
Severity
Apple does not assign CVSS scores in its advisories, but “corrupt kernel memory” combined with a local vector puts this in the high range. What lowers the urgency a little is that it requires prior code execution on the device. An attacker needs a malicious app already running, or has to chain this flaw with another that provides that foothold. That is why bugs like this tend to show up inside exploit chains alongside browser or application vulnerabilities, rather than as a way in on their own.
What to do
Update. In System Settings, under General, Software Update, confirm you’re on macOS Tahoe 26.4 (or 15.7.5 / 14.8.5 depending on your branch). Apple’s security package includes the fix, with nothing manual to touch. If you manage a fleet of Macs through MDM, prioritize the rollout: because this batch also closes the PackageKit and CoreServices flaws, it shuts several escalation paths at once.
Apple has also started using its Background Security Improvements mechanism to deliver small patches between major releases, but this kernel fix arrived through the classic full-update route.
Source
- Apple Support, about the security content of macOS Tahoe 26.4: https://support.apple.com/en-us/126794
- CVE detail on NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-20698