The vulnerability could let attackers mess with the file system in secret.
Google's Project Zero security disclosure program is once again proving to be a double-edged sword. The company has detailed a "high severity" macOS kernel flaw that lets people modify a user-mounted file system image without the virtual management subsystem being any the wiser, theoretically letting an attacker go unnoticed by users. Apple is working on a patch, but the disclosure ahead of the fix could leave Mac users vulnerable until it's ready.
The less-than-ideal timing stems in part from how Project Zero works. Google notified Apple of the bug in November 2018, but its automatic 90-day disclosure policy means that it will publicize security vulnerabilities whether or not a fix is in place.