CVE-2026-20700

CVSS 7.8 HIGHEPSS 1.3%● KEVCWE-119

In short

A memory corruption flaw in Apple operating systems (iOS, macOS, tvOS, visionOS, watchOS) could allow an attacker with the ability to write to system memory to run malicious code. This vulnerability has reportedly been exploited in real attacks.

Technical detail

CWE-119 buffer overflow in memory management across multiple Apple platforms. An attacker with memory write capability can trigger arbitrary code execution through improper state management. Fixed in iOS 26.3, iPadOS 26.3, macOS Tahoe 26.3, tvOS 26.3, visionOS 26.3, and watchOS 26.3.

Summary generated and translated by AI from the official description.

A memory corruption issue was addressed with improved state management. This issue is fixed in iOS 26.3 and iPadOS 26.3, macOS Tahoe 26.3, tvOS 26.3, visionOS 26.3, watchOS 26.3. An attacker with memory write capability may be able to execute arbitrary code. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26. CVE-2025-14174 and CVE-2025-43529 were also issued in response to this report.

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected products

Apple · iOS and iPadOS Apple · macOS Apple · tvOS Apple · visionOS Apple · watchOS

public PoCs found — 2

githubgithub.com/R3n3r0/CVE-2026-20700★ 8 githubgithub.com/notthemystery/CVE-2026-20700-POC-that-ll-never-work★ 0

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://support.apple.com/en-us/126346 https://support.apple.com/en-us/126348 https://support.apple.com/en-us/126351 https://support.apple.com/en-us/126352 https://support.apple.com/en-us/126353 https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20700