CVE-2026-28952: Apple macOS 26.5 Kernel Vuln found by Claude

Original Article ↗ Hacker News Discussion ↗

Vulnerability & Affected Systems

  • CVE-2026-28952 is an integer overflow in the macOS kernel, fixed via better input validation.
  • It is fixed in macOS Tahoe 26.5 and also in specific iOS, iPadOS, Sequoia, and Sonoma versions.
  • Some commenters initially misread it as a new Tahoe-only bug; others clarified it is a bug fixed in 26.5, not introduced there.
  • There is some confusion over exactly which prior OS versions were affected; Apple’s notes are seen as less explicit than third‑party CVE records.

Role of AI Tools (Claude/Mythos)

  • The CVE credits collaboration with Anthropic tools; another linked thread suggests Mythos was used to help build an exploit quickly.
  • Some see this as evidence that AI-assisted security research is already practical.
  • Others emphasize this is incremental on top of long‑standing techniques like fuzzing, not magic.

Security Testing & Why Bugs Persist

  • Debate over whether traditional SAST/DAST/fuzzing “should have” found this bug.
  • One side argues mature tooling already exists and often isn’t run systematically due to cost, complexity, or prioritization.
  • Others counter that large vendors already fuzz at massive scale and hire external assessors, so “they just didn’t run tools” is not convincing.
  • Several possibilities are raised: testing the wrong configurations, incomplete fixes, bad luck in fuzzing, or focusing on changing components.

Apple’s Security Posture

  • Mixed views: some argue Apple is not particularly security‑focused historically on macOS and lagged on mitigations (ASLR, SIP, etc.).
  • Others claim Apple has led on many OS security features and now has strong architectural protections, especially post–Apple Silicon.
  • There is speculation (framed as unofficial) that Apple already uses frontier AI models internally but avoids publicizing it.

Update Strategy & Patch Cadence

  • Older norm of long uptimes is seen as incompatible with modern security; frequent updating feels necessary.
  • Some historically stayed one major or point release behind but now feel pressure to stay on the latest for security reasons.
  • Others note Apple backports security fixes to older major versions, so jumping to the newest OS is not always required.

Future of Automated Security Auditing

  • Several expect continuous AI/agent-based vulnerability scanning to become standard, funded by “token budgets” and sold as security services.
  • Comparisons are made to existing large-scale fuzzing infrastructures and CI/CD security pipelines.

Update Size, Storage, and User Friction

  • Many complain about huge update sizes (often 10–13+ GB) and dual-architecture images.
  • Users with 32–64 GB devices struggle to free enough space for OTA updates, especially when the OS and “system data” already consume much of the storage.
  • Workarounds like tethered/desktop updates exist but are seen as poor UX and “malpractice” when critical security fixes are bundled into massive images.

Kernel, C, and Systemic Risk

  • Multiple simultaneous kernel bugs across projects are viewed as evidence of a large, fragile attack surface.
  • Commenters note that most listed CVEs are memory-safety issues (overflows, UAF, OOB), blaming continued use of C.
  • Some argue stronger type systems or capabilities-based designs could also help with permission and logic issues, but such OS architectures have seen limited adoption.