CVE-2026-26225
Severity CVSS v4.0:
HIGH
Type:
CWE-59
Link Following
Publication date:
12/02/2026
Last modified:
13/02/2026
Description
Intego Personal Backup, a macOS backup utility that allows users to create scheduled backups and bootable system clones, contains a local privilege escalation vulnerability. Backup task definitions are stored in a location writable by non-privileged users while being processed with elevated privileges. By crafting a malicious serialized task file, a local attacker can trigger arbitrary file writes to sensitive system locations, leading to privilege escalation to root.
Impact
Base Score 4.0
8.50
Severity 4.0
HIGH
References to Advisories, Solutions, and Tools
- https://blog.quarkslab.com/intego_lpe_macos_1.html
- https://integosupport.zendesk.com/hc/en-us/articles/40945636077467-Personal-Backup-X9-Release-Notes
- https://www.intego.com/
- https://www.intego.com/bootable-mac-backups
- https://www.vulncheck.com/advisories/intego-personal-backup-task-file-privilege-escalation