Microsoft Defender for Endpoint for Mac installations older than build 101.26042.0020 are vulnerable to CVE-2026-50658, a local privilege-escalation flaw that could let an authenticated attacker gain extensive control over an affected Mac. Administrators should update Defender to build 101.26042.0020 or later and verify the installed version across managed fleets rather than relying solely on automatic-update policy.
Microsoft disclosed the vulnerability through the Microsoft Security Response Center on July 14, 2026. The National Vulnerability Database lists it as a confirmed time-of-check/time-of-use race condition, assigns Microsoft’s CVSS 3.1 score of 7.0, and identifies Microsoft Defender for Endpoint for Mac versions from 101.0.0 up to—but not including—101.26042.0020 as affected.
This is not a Windows Defender engine vulnerability carried across every supported platform. The published product scope is specifically Microsoft Defender for Endpoint for Mac, making the immediate audience security teams and administrators managing corporate macOS devices through Microsoft Intune, Jamf Pro, Microsoft AutoUpdate, or another deployment system.
CVE-2026-50658 is classified as CWE-367, a time-of-check/time-of-use, or TOCTOU, race condition. This class of bug appears when privileged software checks a file, path, object, or other resource and then uses it later, leaving a small interval in which an attacker can replace or alter what the software ultimately operates on.
Microsoft says exploitation requires local access and low-level privileges. No user interaction is required, but the attack has high complexity, indicating that exploitation depends on successfully winning the race or arranging system state precisely enough to trigger the vulnerable behavior.
The CVSS vector is
That prerequisite limits the initial attack surface, but it does not make the bug harmless. Privilege escalation is commonly used after an attacker has obtained a basic foothold through stolen credentials, malicious software, an unpatched application, or an abused management tool. Escaping a restricted user context can then provide access to protected data, security settings, persistence mechanisms, and processes unavailable to an ordinary account.
Microsoft’s CVSS assessment gives high ratings to confidentiality, integrity, and availability impact. CISA’s initial Stakeholder-Specific Vulnerability Categorization assessment likewise describes the potential technical impact as total, while recording no known exploitation and judging automated exploitation unlikely.
That combination matters: the exploit may be difficult to reproduce reliably, but successful exploitation could be severe.
CVE-2026-50658 is particularly relevant in mixed Windows and Mac environments where Defender for Endpoint was selected to provide a single security console across both platforms. A Mac enrolled in Microsoft Defender may be monitored from the same Microsoft Defender portal used for Windows 11 clients and Windows Server systems, but its local agent has its own release train, platform build, engine build, and macOS-specific components.
Administrators should not infer Mac protection from the status of Defender updates on Windows. Windows Antivirus Platform and security-intelligence versions do not establish whether a Mac has received the corrected Defender for Endpoint package.
The minimum non-vulnerable Mac platform build identified in the public CVE record is 101.26042.0020. Microsoft’s Defender for Endpoint release notes list that build as a June 2026 macOS release with release version 20.126042.20.0, engine version 1.1.26040.3000, and signature version 1.453.151.0. Microsoft categorizes the release as containing security and critical updates.
A newer July 2026 release, platform build 101.26052.0016, is also listed in Microsoft’s release notes. It carries release version 20.126052.16.0, engine version 1.1.26060.12000, and signature version 1.455.47.0. Systems already on that build are above the affected-version boundary published for CVE-2026-50658.
Security teams should query their device-management and endpoint-security inventories for the Defender platform version, then isolate the population below 101.26042.0020. Checking only the malware signature version is insufficient because this vulnerability concerns the installed Defender software rather than whether the latest threat definitions have arrived.
On an individual Mac, Microsoft documents the
The remediation workflow should cover four concrete checks:
There is also no public indication that CVE-2026-50658 was exploited before disclosure. It should therefore not be described as a zero-day under active attack based on the currently available evidence. The confirmed vulnerability, affected-version range, CVSS vector, and corrected build nevertheless provide enough information to act without waiting for deeper technical research.
Organizations with tightly managed Macs and enforced Defender update policies may already be protected by the June build. Those with custom update channels, loosely managed executive laptops, developer workstations, or remote devices should verify rather than assume. Macs that have fallen outside normal software-management coverage are precisely the systems most likely to retain both an outdated security agent and other weaknesses that could provide the attacker’s initial foothold.
The immediate threshold is unambiguous: Defender for Endpoint for Mac build 101.26042.0020 closes the published affected range, while the July 2026 build 101.26052.0016 moves systems further ahead. The outstanding question for administrators is not whether Microsoft has supplied a corrected release, but whether every enrolled Mac has actually installed it.
Microsoft disclosed the vulnerability through the Microsoft Security Response Center on July 14, 2026. The National Vulnerability Database lists it as a confirmed time-of-check/time-of-use race condition, assigns Microsoft’s CVSS 3.1 score of 7.0, and identifies Microsoft Defender for Endpoint for Mac versions from 101.0.0 up to—but not including—101.26042.0020 as affected.
This is not a Windows Defender engine vulnerability carried across every supported platform. The published product scope is specifically Microsoft Defender for Endpoint for Mac, making the immediate audience security teams and administrators managing corporate macOS devices through Microsoft Intune, Jamf Pro, Microsoft AutoUpdate, or another deployment system.
A Local Foothold Can Become Full Device Control
CVE-2026-50658 is classified as CWE-367, a time-of-check/time-of-use, or TOCTOU, race condition. This class of bug appears when privileged software checks a file, path, object, or other resource and then uses it later, leaving a small interval in which an attacker can replace or alter what the software ultimately operates on.Microsoft says exploitation requires local access and low-level privileges. No user interaction is required, but the attack has high complexity, indicating that exploitation depends on successfully winning the race or arranging system state precisely enough to trigger the vulnerable behavior.
The CVSS vector is
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. In practical terms, the flaw is not remotely exploitable over the network by an unauthenticated attacker, and it is not a one-click phishing vulnerability. An attacker must already be able to run code or perform authorized local actions on the Mac.That prerequisite limits the initial attack surface, but it does not make the bug harmless. Privilege escalation is commonly used after an attacker has obtained a basic foothold through stolen credentials, malicious software, an unpatched application, or an abused management tool. Escaping a restricted user context can then provide access to protected data, security settings, persistence mechanisms, and processes unavailable to an ordinary account.
Microsoft’s CVSS assessment gives high ratings to confidentiality, integrity, and availability impact. CISA’s initial Stakeholder-Specific Vulnerability Categorization assessment likewise describes the potential technical impact as total, while recording no known exploitation and judging automated exploitation unlikely.
That combination matters: the exploit may be difficult to reproduce reliably, but successful exploitation could be severe.
The Security Agent Becomes Part of the Attack Surface
Endpoint detection and response software necessarily operates with significant privileges. Defender for Endpoint must inspect files and processes, collect telemetry, enforce security controls, and communicate with Microsoft’s security services. A flaw in that privileged boundary can therefore offer an attacker a path that ordinary user applications do not expose.CVE-2026-50658 is particularly relevant in mixed Windows and Mac environments where Defender for Endpoint was selected to provide a single security console across both platforms. A Mac enrolled in Microsoft Defender may be monitored from the same Microsoft Defender portal used for Windows 11 clients and Windows Server systems, but its local agent has its own release train, platform build, engine build, and macOS-specific components.
Administrators should not infer Mac protection from the status of Defender updates on Windows. Windows Antivirus Platform and security-intelligence versions do not establish whether a Mac has received the corrected Defender for Endpoint package.
The minimum non-vulnerable Mac platform build identified in the public CVE record is 101.26042.0020. Microsoft’s Defender for Endpoint release notes list that build as a June 2026 macOS release with release version 20.126042.20.0, engine version 1.1.26040.3000, and signature version 1.453.151.0. Microsoft categorizes the release as containing security and critical updates.
A newer July 2026 release, platform build 101.26052.0016, is also listed in Microsoft’s release notes. It carries release version 20.126052.16.0, engine version 1.1.26060.12000, and signature version 1.455.47.0. Systems already on that build are above the affected-version boundary published for CVE-2026-50658.
Inventory Before Assuming the Update Landed
Defender for Endpoint for Mac is normally updated through Microsoft AutoUpdate, but enterprise controls can delay deployment. Update rings, custom manifests, network restrictions, maintenance windows, sleeping laptops, and devices that rarely connect to the corporate network can all leave older agents in service.Security teams should query their device-management and endpoint-security inventories for the Defender platform version, then isolate the population below 101.26042.0020. Checking only the malware signature version is insufficient because this vulnerability concerns the installed Defender software rather than whether the latest threat definitions have arrived.
On an individual Mac, Microsoft documents the
mdatp health command as a way to inspect Defender’s state and version information. At fleet scale, administrators should use the reporting available through Microsoft Defender, Intune, Jamf Pro, or their software-inventory platform so unmanaged and partially enrolled devices are not overlooked.The remediation workflow should cover four concrete checks:
- Every managed Mac should report Defender for Endpoint platform build 101.26042.0020 or later.
- Update policies should permit Microsoft AutoUpdate to retrieve and install current Defender packages.
- Devices that remain on an older release should be investigated for failed updates, stale enrollment, connectivity problems, or an intentionally pinned update channel.
- Security monitoring should look for suspicious local activity on vulnerable Macs, particularly where an untrusted user or process may already have gained code execution.
There is also no public indication that CVE-2026-50658 was exploited before disclosure. It should therefore not be described as a zero-day under active attack based on the currently available evidence. The confirmed vulnerability, affected-version range, CVSS vector, and corrected build nevertheless provide enough information to act without waiting for deeper technical research.
Mac Update Hygiene Is the Real Operational Test
The urgency of CVE-2026-50658 depends less on internet exposure than on how quickly an organization can identify outdated Mac security agents. A remotely exploitable vulnerability on an exposed service would demand a different response, but local escalation flaws remain valuable in multi-stage intrusions because they turn limited access into administrative control.Organizations with tightly managed Macs and enforced Defender update policies may already be protected by the June build. Those with custom update channels, loosely managed executive laptops, developer workstations, or remote devices should verify rather than assume. Macs that have fallen outside normal software-management coverage are precisely the systems most likely to retain both an outdated security agent and other weaknesses that could provide the attacker’s initial foothold.
The immediate threshold is unambiguous: Defender for Endpoint for Mac build 101.26042.0020 closes the published affected range, while the July 2026 build 101.26052.0016 moves systems further ahead. The outstanding question for administrators is not whether Microsoft has supplied a corrected release, but whether every enrolled Mac has actually installed it.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com
- Official source: learn.microsoft.com
Microsoft Defender for Endpoint release notes - Microsoft Defender for Endpoint | Microsoft Learn
This article describes releases of Microsoft Defender for Endpoint on Windows, macOS, Linux, Android, and iOS.learn.microsoft.com - Related coverage: techradar.com
Microsoft says it's hard at work on a patch for this worrying Defender zero-day | TechRadar
RoguePlanet now has a CVE and a patch in the workswww.techradar.com