Dozens of Chrome entries in macOS Tahoe's Local Network settings? Here's the fix!
If you have recently opened System Settings → Privacy & Security → Local Network on macOS Tahoe (26) and found the list flooded with dozens of duplicate Google Chrome entries, you are not alone.
The culprit is a bug in
Chrome's update mechanism: during each update, the updater creates a
temporary, re-signed copy of the application bundle (a so-called
code_sign_clone) under /private/var/folders/…. macOS registers every one
of these ephemeral clones as a distinct application requesting Local Network
access — and the entries remain in the list long after the clones themselves
have been deleted.
The problem is officially tracked as Chromium issue #376742636 ("Multiple Chrome application items in macOS > Privacy & Security > Local Network"). The Chromium team considers the root cause a bug in macOS itself — every re-signed clone gets registered as a new application — and has filed a corresponding report with Apple (FB15681423). At the time of writing, neither side has shipped a fix, so the stale entries keep accumulating.
Beyond being unsightly, this clutter makes the permission list effectively unusable: you can no longer tell at a glance which applications genuinely hold Local Network access.
Unfortunately, macOS offers no supported way to remove individual entries —
the toggles can be switched off, but the entries themselves cannot be
deleted. The registrations live in
/Library/Preferences/com.apple.networkextension.plist, which is protected
while macOS is running: the file is owned by root and held open by the
nesessionmanager daemon.
The clean approach is to remove it from Recovery Mode, where the system volume is inactive. macOS then rebuilds the file from scratch on the next boot, and each application will simply ask for Local Network permission again.
The walkthrough below requires an administrator account; FileVault can stay enabled. System Integrity Protection (SIP) does not need to be disabled either.
Side effects
- All Local Network permissions are reset. Every application that previously held Local Network access will prompt once on its next application launch.
- VPN configurations may need to be re-imported. VPN apps built on the Network Extension framework (such as WireGuard) register their tunnel configurations through this same family of files. In my case, the WireGuard tunnels had to be re-imported after the reset, so export or back up your VPN configurations beforehand.
- Wi-Fi settings are not affected. Known networks and their passwords are stored separately and survive the reset.
- The removed plist is kept as a backup. Should anything be missing after the reset, the original file can be restored from Recovery Mode.
Walkthrough
Note
Tested on macOS Tahoe 26.5.2 (Apple Silicon). Your settings, installed software, or future macOS updates may change how your Mac behaves. Make sure you have a current, complete (Time Machine) backup before making the changes described in this article.
-
Shut down your Mac.
-
Start your Mac and load the startup options by continuously holding the power button.
-
Choose
Optionsand clickContinue. -
Log in with your administrative user account.
-
Choose
Utilities→Terminalfrom the menu bar — a shell prompt will open. -
Identify your data volume — look for the volume named
Datain the output:diskutil list -
Unlock and mount your data volume (adjust the identifier if it differs; you will be asked for your FileVault passphrase, which is your macOS user password):
diskutil apfs unlockVolume /dev/disk3s5 -
Move the
com.apple.networkextension.plistfile into a backup folder — macOS will create a fresh one at startup.mkdir -p "/Volumes/Data/Users/«your account»/backups/ne-backup" mv "/Volumes/Data/Library/Preferences/com.apple.networkextension.plist" \ "/Volumes/Data/Users/«your account»/backups/ne-backup/" -
Reboot the computer:
reboot
After the reboot
Open System Settings → Privacy & Security → Local Network — the list should now be empty.