While looking into a MacOS vulnerability spotlighted in a Newsweek article on News+ (I know—Newsweek isn’t the ideal source of Apple security news), I followed a series of links at the NIST National Vulnerability Database website until I landed in the vulnerability search tool.
After tuning the search parameters to focus on MacOS Sequoia 15.7.3 (the latest update) the results indicated 119 un-patched CVE items!
Many/most of those 119 CVEs are indicated as being addressed in version 26.1 or 26.2 systems and apps. The 26.2 updates are very recent and lag time is common before updates for prior systems appear, which might explain the large number of unaddressed CVEs on 15.7.3. Once 15.7.4 is released I intend to revisit the NIST NVD search tool to see how many CVEs remain un-patched, with the hope that it is close to zero.
I think the patches are missing from 15.7.3 because Apple are winding up support and doing everything they can to get people on to 26.
And I’m of the opinion that we won’t get a 15.7.4.
We’re already a third of the way to 27, and they don’t typically look back. It’s the same reason iOS 18 never received full support for the new AirPods Pro 3.
I don’t think that number is necessarily unusual. A quick scan of the results indicates that many of the listed CVEs are not really relevant, e.g., they are vulnerabilities in obsolete third party software.
Security patches are issued on a risk adjusted basis, too, so “low risk” vulnerabilities often are not addressed, even in the newest OS release. Presumably, if adoption of a newer OS is very slow, that may impact risk assessements, and an older OS may end up getting more security patches as a result.
Keep in mind, too, that there are vulnerabilities that are not included in the CVE database, and those may or may not get fixed.
None of that is to suggest that unpatched vulnerabilities are “ok”, just that they may not carry major risks worthy of development effort. For example, many people still run Monterey and older versions of macOS, but I haven’t seen any evidence that such systems are widely compromised.
FWIW, there is a 15.7.4 RC in the beta channel. Time will tell.
@josehill you are correct. I hadn’t reviewed the entire list at the time of my post, only the first (most recent) 25 items. Of the 119 listed, about 76 are dated Sept. 2025 or newer and do pertain to Apple’s software, with several seeming to be non-trivial. Adjusting the search parameters to focus on MacOS 26.2 returns a list of 41 CVEs, but all of them are 2024 or older and almost entirely third-party software such as Adobe Flash.
I intend to run a comparison of this NIST NVD list against the CVEs Apple has listed in their Security Content notices for Sequoia to confirm the NIST listings are actually un-patched. It occurs to me that Apple might benefit by publishing a running list of vulnerabilities in non-current OSes as another way of encouraging users to upgrade.
As you point out, Apple is weighing the risk/benefit ratio on the older systems and I have always trusted that they are addressing the truly critical vulnerabilities. I was just not expecting such a large number for a system that only left full support status a few months ago.
The problem with the NVD is that, so far as I can tell, it doesn’t reliably tell you when a vulnerability was introduced, only when it was fixed[1]. If a vuln is listed as patched in (say) 26.2, it is assumed to affect all previous versions, from System 1 to macOS 15.7.3 even if it was (hypothetically) introduced in (say) 26.0 and never affected 15.x at all.
Then again, we don’t know that it wasn’t – isn’t – present in 15.7.3, either
Since Apple basically never reveals root-cause analyses of defects, the only way you’d be able to know for sure which versions are affected is if a security researcher did an extensive analysis and published the result. ↩︎
