CVE-2026-20616
Published: 11 February 2026
Summary
CVE-2026-20616 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Apple Macos. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 21.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 requires validating information inputs like USD files at parsing points to enforce bounds checking and prevent out-of-bounds writes from malformed data.
SI-16 implements memory safeguards such as address space layout randomization and data execution prevention to mitigate exploitation of out-of-bounds write vulnerabilities.
SI-2 ensures timely identification, reporting, and patching of flaws like CVE-2026-20616, directly addressing the vulnerability fixed in specified Apple OS versions.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Out-of-bounds write in client-side USD file parser enables remote code execution via malicious file opened by user (T1203 client exploitation + T1204.002 malicious file vector).
NVD Description
An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS 18.7.5 and iPadOS 18.7.5, macOS Sonoma 14.8.4, macOS Tahoe 26.3, visionOS 26.3. Processing a maliciously crafted USD file may lead to unexpected app termination.
Deeper analysisAI
CVE-2026-20616 is an out-of-bounds write vulnerability (CWE-787) that was addressed through improved bounds checking. It affects Apple's iOS prior to version 18.7.5, iPadOS prior to 18.7.5, macOS Sonoma prior to 14.8.4, macOS Tahoe prior to 26.3, and visionOS prior to 26.3. The issue arises when processing a maliciously crafted USD (Universal Scene Description) file, which may lead to unexpected application termination.
The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating network accessibility, low attack complexity, no required privileges, and user interaction. A remote, unauthenticated attacker can exploit it by tricking a user into processing a specially crafted USD file, potentially achieving high confidentiality, integrity, and availability impacts.
Apple security advisories detail the patches released in iOS 18.7.5, iPadOS 18.7.5, macOS Sonoma 14.8.4, macOS Tahoe 26.3, and visionOS 26.3. Additional mitigation guidance and technical details are available in Apple's support pages (https://support.apple.com/en-us/126347, https://support.apple.com/en-us/126348, https://support.apple.com/en-us/126350, https://support.apple.com/en-us/126353) and Zero Day Initiative advisory ZDI-26-176 (https://www.zerodayinitiative.com/advisories/ZDI-26-176/).
Details
- CWE(s)