CVE-CVE-2026-20677 | CRITICAL Severity | CVEDatabase.com

Description

A race condition was addressed with improved handling of symbolic links. This issue is fixed in macOS Tahoe 26.3, macOS Sonoma 14.8.4, iOS 18.7.5 and iPadOS 18.7.5, visionOS 26.3, iOS 26.3 and iPadOS 26.3. A shortcut may be able to bypass sandbox restrictions.

CVSS Metrics

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector: network
Complexity: high
Privileges: none
User Action: none
Scope: changed
Confidentiality: high
Integrity: high
Availability: high
Weaknesses: CWE-362

Metadata

Primary Vendor: APPLE
Published: 2/11/2026
Last Modified: 2/12/2026
Source: NIST NVD
Note: Verify all details with official vendor sources before applying patches.

Affected Products

apple : ipadosapple : ipadosapple : iphone_osapple : iphone_osapple : macosapple : macosapple : visionos

AI-Powered Remediation

Generate remediation guidance or a C-suite brief for this vulnerability.

Executive Intelligence Brief

View on NIST NVD