CVE-2026-28952 is about an integer overflow due to lack of input validation. I wonder what makes such vulnerability difficult to discover by traditional SAST tools?
For many years my go-to plan has been to stay one point release behind apple's releases, especially the .0 releases -- but, times change. Last night I pushed the button for 26.5, thinking about the Glasswing/Mythos reporting. Seems like staying on bleeding edge is going to be the name of the game.
I wonder if this will change general dynamics -- feels like LTS releases could become even more important, at the same time having reduced maintenance costs since you can have some agentic help on backporting.
Claude and Anthropic is mentioned, but not Mythos, I'm guessing this would mean then this was found outside of the whole Mythos thing, or would there be any reason for them not to mention it, if it was involved?
Where all of this is going? Will there be a dedicated servers running coding agents that iterate throught codebases for each company to find vulnerabilities 24/7?
CVE-2026-28952 is about an integer overflow due to lack of input validation. I wonder what makes such vulnerability difficult to discover by traditional SAST tools?
CVEs:
* https://nvd.nist.gov/vuln/detail/CVE-2026-28952
* https://nvd.nist.gov/vuln/detail/CVE-2026-28942
More than 26.5:
> The affected releases include iOS 18.7.9 and iPadOS 18.7.9, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, and macOS Tahoe 26.5.
I’ve already seen a lot of people self-congratulating for not updating to Tahoe but this isn’t exclusive to Tahoe.
Ah thanks! I was only looking at Tahoe since my mac had an update and I usually look at the security release notes.
Kernel Available for: macOS Tahoe
Impact: An app may be able to cause unexpected system termination
Description: An integer overflow was addressed with improved input validation.
CVE-2026-28952: Calif.io in collaboration with Claude and Anthropic Research
For many years my go-to plan has been to stay one point release behind apple's releases, especially the .0 releases -- but, times change. Last night I pushed the button for 26.5, thinking about the Glasswing/Mythos reporting. Seems like staying on bleeding edge is going to be the name of the game.
I wonder if this will change general dynamics -- feels like LTS releases could become even more important, at the same time having reduced maintenance costs since you can have some agentic help on backporting.
Claude and Anthropic is mentioned, but not Mythos, I'm guessing this would mean then this was found outside of the whole Mythos thing, or would there be any reason for them not to mention it, if it was involved?
It was Mythos
>Our engineers, working together with Mythos Preview, built a working exploit in five days.
https://news.ycombinator.com/item?id=48139219
Where all of this is going? Will there be a dedicated servers running coding agents that iterate throught codebases for each company to find vulnerabilities 24/7?
More like: There will be a budget for tokens to be spent on security audits.
1000 different companies will be pitching your CTO their proprietary vulnerability scanning harness as the most cost effective.
So what already happens, but worse?
Yes
One more reason to avoid upgrading to Tahoe.
> One more reason to avoid upgrading to Tahoe.
Sequoia also has security bugs :) https://support.apple.com/en-us/127116
This was fixed in 26.5 as well as 15.7.7 etc.
https://app.opencve.io/cve/CVE-2026-28952