CVE-2022-26704: 
macOS vulnerability analysis and mitigation

CVE-2022-26704 is a validation issue in Apple's Spotlight service that was discovered in macOS systems. The vulnerability was first reported on April 12, 2022, and was fixed in macOS Monterey 12.4, released on May 16, 2022. The vulnerability affects multiple versions of macOS including Monterey, Big Sur, and Catalina (Mandiant Disclosure, Apple Support).

The vulnerability exists in Apple's Spotlight indexing service, which indexes files across devices to provide quick search capabilities. The issue stems from improper handling of symlinks during the indexing process. The two processes creating and managing the Spotlight archive (mds and mds_stores) are subject to their own sandbox policies, but at least two use open system calls that follow symbolic links. Additionally, the Mac OS sandbox cannot detect hard linked files. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (High), with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (Mandiant Disclosure, NVD).

The vulnerability allows an unprivileged local attacker to gain elevated privileges. When exploited, an application may be able to gain root-level access to the system, potentially leading to complete system compromise. The vulnerability can be used to create or overwrite arbitrary files as root (Mandiant Disclosure).

Apple addressed this vulnerability in macOS Monterey 12.4, macOS Big Sur 11.6.8, and Security Update 2022-005 Catalina, released on July 20, 2022. The fix involves improved validation of symlinks in the Spotlight system. Users are advised to update their systems to these or later versions to protect against this vulnerability (Apple Support, Apple Security).