CVE-2022-26726

MEDIUM

macOS < 10.15.7, 11.0-11.6.5, watchOS < 8.6 - Unauthorized Screen Capture

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2022-26726. PoCs published by acheong08.

AI-analyzed exploit summary This PoC exploits a macOS TCC bypass vulnerability (CVE-2022-26726) by deleting an executable while it runs, allowing unauthorized screen recording and keystroke injection without user prompts. The script copies and executes a Mach-O binary, then deletes it mid-execution to trigger the bypass.

Description

This issue was addressed with improved checks. This issue is fixed in Security Update 2022-004 Catalina, watchOS 8.6, macOS Monterey 12.4, macOS Big Sur 11.6.6. An app may be able to capture a user's screen.

Exploits (2)

nomisec WORKING POC 20 stars

by acheong08 · poc

https://github.com/acheong08/CVE-2022-26726-POC

View Code ZIP pw:eip

This PoC exploits a macOS TCC bypass vulnerability (CVE-2022-26726) by deleting an executable while it runs, allowing unauthorized screen recording and keystroke injection without user prompts. The script copies and executes a Mach-O binary, then deletes it mid-execution to trigger the bypass.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Racy

Target: macOS (tested on 10.15.7, 11.6.1, 12.0, 12.3, 12.3.1)

No auth needed

Prerequisites: Fresh macOS installation · TCC permissions not previously granted

MITRE ATT&CK

T1548.002 - Bypass User Account Control

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 1 stars

by acheong08 · poc

https://github.com/acheong08/CVE-2022-26726-POC2

View Code ZIP pw:eip

This repository contains a Go-based PoC for CVE-2022-26726, which includes modules for executing shell commands, capturing screenshots, and simulating keyboard inputs. The POC.sh script demonstrates a self-deleting executable behavior, typical for evasion techniques.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Unknown (CVE-2022-26726 details not provided in code)

No auth needed

Prerequisites: Access to the target system · Execution privileges

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1113 - Screen Capture T1059.004 - Unix Shell

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Vendor Advisory x_refsource_misc

https://support.apple.com/en-us/HT213255

Vendor Advisory x_refsource_misc

https://support.apple.com/en-us/HT213256

Vendor Advisory x_refsource_misc

https://support.apple.com/en-us/HT213253

Vendor Advisory x_refsource_misc

https://support.apple.com/en-us/HT213257

Scores

CVSS v3 6.5

EPSS 0.0222

EPSS Percentile 80.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Details

Status published

Products (4)

apple/mac_os_x 10.15.7 (13 CPE variants)

apple/mac_os_x < 10.15.7

apple/macos 11.0 - 11.6.6

apple/watchos < 8.6

Published May 26, 2022

Tracked Since Feb 18, 2026