Login Sign Up

CVE-2023-38586

10.0 CRITICAL

📋 TL;DR

This CVE describes a macOS sandbox escape vulnerability that allows a sandboxed process to bypass security restrictions. It affects macOS systems before Sonoma 14, potentially enabling malicious applications to access resources they shouldn't. This is a critical vulnerability with maximum CVSS score due to its potential impact.

💻 Affected Systems

Products:
  • macOS
Versions: Versions before macOS Sonoma 14
Operating Systems: macOS
Default Config Vulnerable: ⚠️ Yes
Notes: All macOS systems using affected versions are vulnerable by default when running sandboxed applications.

📦 What is this software?

Macos by Apple

macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...

Learn more about Macos →

⚠️ Risk & Real-World Impact

🔴

Worst Case

A malicious application could escape macOS sandbox entirely, gaining unauthorized access to sensitive files, system resources, or user data, potentially leading to full system compromise.

🟠

Likely Case

Malicious applications could bypass intended security boundaries to access restricted files or perform unauthorized actions within the system.

🟢

If Mitigated

With proper application vetting and security controls, the risk is reduced but not eliminated as the vulnerability exists at the OS level.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires a malicious sandboxed application to be executed on the target system.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: macOS Sonoma 14

Vendor Advisory: https://support.apple.com/en-us/HT213940

Restart Required: Yes

Instructions:

1. Open System Settings 2. Click General 3. Click Software Update 4. Install macOS Sonoma 14 or later 5. Restart when prompted

🔧 Temporary Workarounds

Restrict application installation

all

Only allow installation of applications from trusted sources and verified developers

Application sandboxing review

all

Review and restrict sandboxed applications to minimal necessary permissions

🧯 If You Can't Patch

  • Implement strict application control policies to prevent untrusted applications from running
  • Use endpoint detection and response (EDR) solutions to monitor for sandbox escape attempts

🔍 How to Verify

Check if Vulnerable:

Check macOS version in System Settings > General > About. If version is earlier than 14.0, system is vulnerable.

Check Version:

sw_vers

Verify Fix Applied:

Verify macOS version is 14.0 or later in System Settings > General > About.

📡 Detection & Monitoring

Log Indicators:

  • Unusual process behavior from sandboxed applications
  • Access violations in system logs
  • Unexpected file access by sandboxed processes

Network Indicators:

  • Unusual network connections from sandboxed applications

SIEM Query:

process where parent_process_name contains "sandbox" and action = "access" and result = "denied"

📊 Metadata

CVE ID: CVE-2023-38586
CVSS v3 Score: 10.0 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Published: September 27, 2023
Last Updated: November 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON