CVE-2026-20615
Published: 11 February 2026
Summary
CVE-2026-20615 is a high-severity Path Traversal (CWE-22) vulnerability in Apple Macos. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 10.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and correction of flaws like the path handling vulnerability in CVE-2026-20615 through patching to fixed versions.
Mandates validation of information inputs such as file paths, directly addressing the CWE-22 path traversal issue enabling root privilege escalation.
Enforces least privilege for processes and users, limiting the scope and impact of privilege escalation attempts by low-privileged malicious apps.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal (CWE-22) in Apple OS components directly enables local privilege escalation from a malicious app to root via exploitation of the vulnerability.
NVD Description
A path handling issue was addressed with improved validation. This issue is fixed in iOS 26.3 and iPadOS 26.3, macOS Sonoma 14.8.4, macOS Tahoe 26.3, visionOS 26.3. An app may be able to gain root privileges.
Deeper analysisAI
CVE-2026-20615 is a path handling vulnerability (CWE-22) that was addressed through improved validation mechanisms. It affects Apple's iOS and iPadOS versions prior to 26.3, macOS Sonoma prior to 14.8.4, macOS Tahoe prior to 26.3, and visionOS prior to 26.3. The flaw allows a malicious app to potentially gain root privileges on affected systems, earning a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Exploitation requires a local attacker with low privileges, such as a compromised or malicious app already installed or executed on the target device. The low attack complexity and lack of required user interaction enable straightforward privilege escalation, resulting in high impacts to confidentiality, integrity, and availability through root access.
Apple security advisories detail the fixes in the specified updates, recommending immediate patching to iOS 26.3, iPadOS 26.3, macOS Sonoma 14.8.4, macOS Tahoe 26.3, or visionOS 26.3 as the primary mitigation. Additional guidance is available in the referenced support documents at https://support.apple.com/en-us/126346, https://support.apple.com/en-us/126348, https://support.apple.com/en-us/126350, and https://support.apple.com/en-us/126353.
Details
- CWE(s)