macOS Tahoe 26.2+ Host: Bridged Network broken - CFNetwork errors, Safari/XCreds/altool fail, Chrome works #7617
Description
Describe the issue
After upgrading the host from macOS Sequoia 15.3.1 to macOS Tahoe 26.2, macOS VMs using Bridged Network mode experience severe network issues:
Symptoms:
❌ Safari cannot load any pages (CFNetwork timeout errors -1001, -2102, -999)
❌ XCreds (SecurityAgentPlugin for OIDC login) fails to load web form - XPC connection errors
❌ altool (Apple development tools) fails to upload files to App Store Connect
✅ Chrome/curl work normally (use own network stack, not Apple CFNetwork)
✅ DNS resolution works
✅ SSH in/out works
✅ ICMP (ping) works
✅ Download works, Upload is broken/very slow
Root Cause:
Apple CFNetwork framework inside VMs cannot establish SSL/TLS connections when host is macOS Tahoe 26.2+. Massive bad tcp cksum and bad udp cksum errors visible in tcpdump.
Workaround Attempted:
Disabling checksums inside VM (sysctl -w net.inet.udp.checksum=0, net.link.generic.system.hwcksum_tx=0, hwcksum_rx=0) fixes UDP/basic connectivity but does not fix CFNetwork/Safari/XCreds.
Important:
- Same VM works perfectly on another host running macOS Sequoia 15.3.1
- Issue is host OS version dependent, not VM configuration
- Shared Network mode works fine, only Bridged Network is broken
- Related to issue Unusably slow Bridged network upload after upgrading host to Tahoe #7438 (slow Bridged upload on Tahoe 26 host)
Configuration
UTM Version: 4.7.5
macOS Version (HOST): 26.2 (Tahoe)
macOS Version (GUEST VM): 26.3 (Tahoe)
Mac Chip: Apple Silicon (M series)
Network Mode: Bridged Network
VM Type: macOS-on-macOS (Virtualization.framework)
Crash log
No crashes. System runs but network is dysfunctional.
Debug log
System logs from guest VM show CFNetwork errors:
com.apple.Safari.SafeBrowsing.Service: (CFNetwork) Task finished with error [-1001]
Error Domain=NSURLError Domain Code=1001 UserInfo={_kCFStreamErrorCodeKey=-2102}
NSUnderlyingError Domain=kCFErrorDomainCFNetwork Code=-1001
_kCFStreamErrorDomainKey=4
HTTP load canceled, 0/0 bytes (error code: -999 [1:89])
XPC errors in guest VM:
XCreds Login Overlay: (libxpc.dylib) [com.apple.xpc:connection] [0xa56c6d900] invalidated after a failed init
com.apple.UIIntelligenceSupport:xpc agent connection cancelled
Connection init failed at lookup with error 3 - No such process
com.apple.CFPasteboard:general Failed to set up CFPasteboard
com.apple.windowmanagement:framework WMClientWindowManager: Invalid connection
Network diagnostic from guest VM:
tcpdump shows correct SYN/SYN-ACK handshakes but all TCP packets have incorrect checksums (cksum 0xXXXX (incorrect -> 0xYYYY)), causing CFNetwork to reject them.
openssl/curl work because they ignore checksum validation. Safari/XCreds/Apple frameworks enforce checksum validation and fail.
Upload VM
VM configuration is standard UTM Bridged Network setup. The same .utm VM file works perfectly when moved to a host running macOS Sequoia 15.3.1.
Steps to reproduce:
Create macOS VM in UTM on macOS Sequoia 15.3.1 host using Bridged Network
Install macOS 26.3 (Tahoe) as guest OS
Verify Safari/XCreds/altool work normally on the Sequoia host
Upgrade HOST (not VM) to macOS Tahoe 26.2
Launch same VM
Observe Safari/XCreds/altool fail with CFNetwork errors in the VM
Expected behavior:
VM network should work identically on Tahoe 26.2 host as it does on Sequoia 15.3.1 host.
Actual behavior:
Apple frameworks (CFNetwork, Security, XPC) fail to establish network connections in Bridged Network mode when host is Tahoe 26.2+.
Related Issues:
#7438 - Unusably slow Bridged network upload after upgrading host to Tahoe