Oh hey, this is our work! We helped Anthropic analyze and report this bug.<p>For the record, this bug has nothing to do with our recent MIE attack [1] [2], which exploited two different kernel bugs. Our bugs are not fixed yet.<p>[1] <a href="https://blog.calif.io/p/first-public-kernel-memory-corruption" rel="nofollow">https://blog.calif.io/p/first-public-kernel-memory-corruptio...</a><p>[2] <a href="https://news.ycombinator.com/item?id=48139219">https://news.ycombinator.com/item?id=48139219</a>
I wonder how well Apple has deployed these tools internally for security research.<p>Since mid-April Chrome showed 302 vulnerabilities patched, 225 of them found by Google. Same period last year was 19 vulnerabilities. They've also become more transparent recently, disclosing vulnerabilities found internally, not just externally (which Apple still doesn't appear to do). From the outside, it's hard to tell if Apple has deployed this tooling as much as Google.
More than 26.5:<p>> The affected releases include iOS 18.7.9 and iPadOS 18.7.9, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, and macOS Tahoe 26.5.<p>I’ve already seen a lot of people self-congratulating for not updating to Tahoe but this isn’t exclusive to Tahoe.
> The affected releases include iOS 18.7.9 and iPadOS 18.7.9, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, and macOS Tahoe 26.5.<p>Where does this quote come from? I can't see it in <a href="https://support.apple.com/en-us/127115" rel="nofollow">https://support.apple.com/en-us/127115</a>, the article link at time of writing. It mentions CVE-2026-28952, but we're forced to guess why. I'd take the reference to mean that this issue is fixed, but I'm just some internet rando, so what the hell do I know?<p>If I do a google search for "CVE-2026-28952", it points me to various pages. Here's one, for example: <a href="https://www.cve.org/CVERecord?id=CVE-2026-28952" rel="nofollow">https://www.cve.org/CVERecord?id=CVE-2026-28952</a> - which is a bit more explicit, though of course this is not from the horse's mouth:<p>> This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5
Ah thanks! I was only looking at Tahoe since my mac had an update and I usually look at the security release notes.
Kernel
Available for: macOS Tahoe<p>Impact: An app may be able to cause unexpected system termination<p>Description: An integer overflow was addressed with improved input validation.<p>CVE-2026-28952: Calif.io in collaboration with Claude and Anthropic Research
CVEs:<p>* <a href="https://nvd.nist.gov/vuln/detail/CVE-2026-28952" rel="nofollow">https://nvd.nist.gov/vuln/detail/CVE-2026-28952</a><p>* <a href="https://nvd.nist.gov/vuln/detail/CVE-2026-28942" rel="nofollow">https://nvd.nist.gov/vuln/detail/CVE-2026-28942</a>
This isn't a 26.5 bug, this is a bug <i>fixed</i> in 26.5.
Claude and Anthropic is mentioned, but not Mythos, I'm guessing this would mean then this was found outside of the whole Mythos thing, or would there be any reason for them not to mention it, if it was involved?
It was Mythos<p>>Our engineers, working together with Mythos Preview, built a working exploit in five days.<p><a href="https://news.ycombinator.com/item?id=48139219">https://news.ycombinator.com/item?id=48139219</a>
CVE-2026-28952 is about an integer overflow due to lack of input validation. I wonder what makes such vulnerability difficult to discover by traditional SAST tools?
For many years my go-to plan has been to stay one point release behind apple's releases, especially the .0 releases -- but, times change. Last night I pushed the button for 26.5, thinking about the Glasswing/Mythos reporting. Seems like staying on bleeding edge is going to be the name of the game.<p>I wonder if this will change general dynamics -- feels like LTS releases could become even more important, at the same time having reduced maintenance costs since you can have some agentic help on backporting.
Staying one <i>point release</i> behind is weird isn’t it? I get staying a <i>major release</i> behind, Apple’s x.0 releases are often pretty rough so it might be worth staying on x-1 for a while. But point releases mostly just fix the stuff they broke in the major release.. Would you really upgrade from 18.5 or whatever to 26.0 when Apple releases 26.1?
Point releases for macOS can be pretty large over the past several years - what often makes sense is waiting a few weeks to upgrade in case there's a .1 patch.<p>e.g. macOS 15.0, 15.1, 15.3, 15.4, 15.6 and 15.7 all had .1 patches within a few weeks of release.
Security updates still go out for older major releases back 2 versions. You didn’t need to jump to 26 if you weren’t on it.
Same! I almost never updated, now I feel like i <i>need</i> to update. Kinda feels like FOMO but for security updates
Where all of this is going? Will there be a dedicated servers running coding agents that iterate throught codebases for each company to find vulnerabilities 24/7?
Sidenote but: it's crazy how big this update is. 13 GB is crazy
[flagged]
[dead]
One more reason to avoid upgrading to Tahoe.
This was fixed in 26.5 as well as 15.7.7 etc.<p><a href="https://app.opencve.io/cve/CVE-2026-28952" rel="nofollow">https://app.opencve.io/cve/CVE-2026-28952</a>
> One more reason to avoid upgrading to Tahoe.<p>Sequoia also has security bugs :)
<a href="https://support.apple.com/en-us/127116" rel="nofollow">https://support.apple.com/en-us/127116</a>