Cyber Resilience

CVE-2026-20616

High

Published: 11 February 2026

Published
11 February 2026
Modified
02 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0054 41.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-20616 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Apple Macos. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 41.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-20616 is an out-of-bounds write vulnerability (CWE-787) that was addressed through improved bounds checking. It affects Apple's iOS prior to version 18.7.5, iPadOS prior to 18.7.5, macOS Sonoma prior to 14.8.4, macOS Tahoe prior to 26.3, and visionOS prior to 26.3. The issue arises when processing a maliciously crafted USD (Universal Scene Description) file, which may lead to unexpected application termination.

The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating network accessibility, low attack complexity, no required privileges, and user interaction. A remote, unauthenticated attacker can exploit it by tricking a user into processing a specially crafted USD file, potentially achieving high confidentiality, integrity, and availability impacts.

Apple security advisories detail the patches released in iOS 18.7.5, iPadOS 18.7.5, macOS Sonoma 14.8.4, macOS Tahoe 26.3, and visionOS 26.3. Additional mitigation guidance and technical details are available in Apple's support pages (https://support.apple.com/en-us/126347, https://support.apple.com/en-us/126348, https://support.apple.com/en-us/126350, https://support.apple.com/en-us/126353) and Zero Day Initiative advisory ZDI-26-176 (https://www.zerodayinitiative.com/advisories/ZDI-26-176/).

EU & UK References

Vulnerability details

An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS 18.7.5 and iPadOS 18.7.5, macOS Sonoma 14.8.4, macOS Tahoe 26.3, visionOS 26.3. Processing a maliciously crafted USD file may lead to unexpected app termination.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
Why these techniques?

Out-of-bounds write in client-side USD file parser enables remote code execution via malicious file opened by user (T1203 client exploitation + T1204.002 malicious file vector).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-43202Same product: Apple Ipados
CVE-2025-24257Same product: Apple Ipados
CVE-2025-43300Same product: Apple Ipados
CVE-2024-54523Same product: Apple Ipados
CVE-2025-43209Same product: Apple Ipados
CVE-2023-43010Same product: Apple Ipados
CVE-2026-43656Same product: Apple Ipados
CVE-2025-24154Same product: Apple Ipados
CVE-2024-54543Same product: Apple Ipados
CVE-2024-54499Same product: Apple Ipados

Affected Assets

apple
ipados
≤ 18.7.5
apple
iphone os
≤ 18.7.5
apple
macos
14.0 — 14.8.4 · 26.0 — 26.3
apple
visionos
≤ 26.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 requires validating information inputs like USD files at parsing points to enforce bounds checking and prevent out-of-bounds writes from malformed data.

prevent

SI-16 implements memory safeguards such as address space layout randomization and data execution prevention to mitigate exploitation of out-of-bounds write vulnerabilities.

prevent

SI-2 ensures timely identification, reporting, and patching of flaws like CVE-2026-20616, directly addressing the vulnerability fixed in specified Apple OS versions.

References