CVE-2026-20657

medium

Published 2026-03-25 · Modified 2026-05-11

CVSS v3

6.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CVSS v2

—

VIR risk

6.5

Description

A buffer overflow issue was addressed with improved memory handling. This issue is fixed in iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4, visionOS 26.4. Parsing a maliciously crafted file may lead to an unexpected app termination.

Predictions

Exploit likelihood

75%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: product-security@apple.com — https://support.apple.com/en-us/126796

vendor Authored 2026-05-27

Vendor advisory: product-security@apple.com — https://support.apple.com/en-us/126795

vendor Authored 2026-05-27

Vendor advisory: product-security@apple.com — https://support.apple.com/en-us/126793

Mitigation details

Source: Apple Security HT · View original ↗ · proprietary-no-redistribution

Full prose not cached — VIR stores only structured fields (affected/fixed versions, references) for this source. Click "View original" above for the vendor's full advisory.

OS impact

OS	Version	Status	Fixed in
macos		affected	`18.7.7`

References

CWEs

CWE-119 CWE-125 CWE-787

Verify integrity in audit chain (admin only). AS-IS.