On 24 March 2026 Apple shipped macOS Tahoe 26.4, an update that fixes more than seventy security vulnerabilities. The one that stands out carries the identifier CVE-2026-28840 and sits in PackageKit, the system component responsible for installing packages and software. A malicious app already running on the machine could abuse this flaw to gain root privileges, meaning full control over the system.
What goes wrong
Apple describes CVE-2026-28840 as a permissions issue resolved by adding extra restrictions. PackageKit runs with elevated privileges because it has to write to parts of the system a normal user can’t touch. The bug let an app without special privileges abuse that channel and end up running code as root.
It isn’t the only escalation in this round. Apple also patches CVE-2026-28821 in CoreServices, where a faulty check of process entitlements (the signed permissions Apple assigns to each process) let an app gain elevated privileges. And CVE-2026-28888 in CUPS, the printing system, a race condition that opened another path to root. Three different routes to the same goal, all closed in this release.
Who is affected
Apple’s bulletin documents these three flaws for macOS Tahoe 26.4. The same day, Apple released security updates for the older branches still under support, Sequoia 15.7.5 and Sonoma 14.8.5, though the per-CVE breakdown for those versions appears in their own bulletins.
Keep the severity in perspective. To exploit CVE-2026-28840 an attacker already needs code running on your Mac. It isn’t a flaw that fires from visiting a website or opening an email. The real risk shows up once you’ve installed something dubious, or when another vulnerability serves as the first rung. Even so, a root escalation is what turns a minor intrusion into a full system compromise, which is why Apple treats it as a priority.
How to protect yourself
The fix is straightforward: update. Go to System Settings, General, Software Update and apply macOS Tahoe 26.4. If you run Sequoia or Sonoma, install 15.7.5 or 14.8.5 respectively. There’s no partial mitigation that replaces the patch; the fix lives in the system’s own code.
If you manage a fleet of machines, prioritise rolling out these versions over cosmetic updates. Local root escalations tend to show up quickly in post-exploitation kits, so the window between the advisory and public exploits can be short.
For the full picture, LinuxGratis keeps a macOS profile with versions, support dates and security news.
Source
- Apple, About the security content of macOS Tahoe 26.4: https://support.apple.com/en-us/126794
- NVD, CVE-2026-28840: https://nvd.nist.gov/vuln/detail/CVE-2026-28840