CVE-2026-20611
Published: 11 February 2026
Summary
CVE-2026-20611 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Apple Macos. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 2.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely flaw remediation directly mitigates CVE-2026-20611 by applying vendor patches that implement improved bounds checking in media processing components.
Memory protection mechanisms such as bounds checking and address space protections prevent exploitation of out-of-bounds access during malicious media file processing.
Input validation for media files checks format, length, and range to block malformed inputs that trigger out-of-bounds access in processing libraries.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Out-of-bounds media file processing leads to memory corruption and arbitrary code execution on client apps when a user opens a crafted file (local vector, no privileges needed).
NVD Description
An out-of-bounds access issue was addressed with improved bounds checking. This issue is fixed in iOS 18.7.5 and iPadOS 18.7.5, iOS 26.3 and iPadOS 26.3, macOS Sequoia 15.7.4, macOS Sonoma 14.8.4, macOS Tahoe 26.3, tvOS 26.3, visionOS 26.3, watchOS 26.3.…
more
Processing a maliciously crafted media file may lead to unexpected app termination or corrupt process memory.
Deeper analysisAI
CVE-2026-20611 is an out-of-bounds access vulnerability, corresponding to CWE-125, that was addressed through improved bounds checking in multiple Apple operating systems. It affects iOS and iPadOS prior to versions 18.7.5 and 26.3, macOS Sequoia prior to 15.7.4, macOS Sonoma prior to 14.8.4, macOS Tahoe prior to 26.3, tvOS prior to 26.3, visionOS prior to 26.3, and watchOS prior to 26.3. The issue arises during the processing of media files and has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to potential impacts on confidentiality, integrity, and availability.
An attacker with local access can exploit this vulnerability by tricking a user into processing a maliciously crafted media file, requiring user interaction but no special privileges. Successful exploitation may result in unexpected application termination or corruption of process memory, enabling high-impact effects such as arbitrary code execution or denial of service within the affected process scope.
Apple security advisories, detailed in support documents such as https://support.apple.com/en-us/126346 through https://support.apple.com/en-us/126350, confirm the vulnerability was fixed in the specified versions of iOS, iPadOS, macOS, tvOS, visionOS, and watchOS. Mitigation requires updating affected devices to these patched releases to apply the improved bounds checking.
Details
- CWE(s)