CVE-2026-20620

High

Published: 11 February 2026

Published

11 February 2026

Modified

02 April 2026

KEV Added

—

Patch

—

CVSS Score 7.7 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

EPSS Score 0.0001 0.4th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-20620 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Apple Macos. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 0.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Data from Local System (T1005) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mitigates the CVE's root cause of insufficient input validation that enables out-of-bounds reads in kernel memory.

SI-2 Flaw Remediation good match

prevent

Ensures timely patching to the fixed macOS versions (Sequoia 15.7.4, Sonoma 14.8.4, Tahoe 26.3) to remediate the specific flaw.

SI-16 Memory Protection partial match

prevent

Provides memory safeguards such as isolation and bounds protection to limit kernel memory disclosure from out-of-bounds reads.

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

T1082 System Information Discovery Discovery

An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.

attack.mitre.org →

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

OOB read enables direct kernel memory disclosure (T1005/T1082) and system crashes via exploitation (T1499.004); local no-priv vector fits these impacts exactly.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

An out-of-bounds read issue was addressed with improved input validation. This issue is fixed in macOS Sequoia 15.7.4, macOS Sonoma 14.8.4, macOS Tahoe 26.3. An attacker may be able to cause unexpected system termination or read kernel memory.

Deeper analysisAI

CVE-2026-20620 is an out-of-bounds read vulnerability (CWE-125) affecting Apple's macOS operating system. The issue stems from insufficient input validation, enabling potential kernel memory disclosure or system crashes. It impacts versions of macOS prior to the patched releases: macOS Sequoia 15.7.4, macOS Sonoma 14.8.4, and macOS Tahoe 26.3. The vulnerability received a CVSS v3.1 base score of 7.7 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H), indicating high severity due to its confidentiality and availability impacts.

A local attacker with no privileges required can exploit this vulnerability with low complexity and no user interaction. Successful exploitation allows the attacker to read sensitive kernel memory or trigger unexpected system termination, leading to a denial-of-service condition. The local attack vector limits remote exploitation, but the lack of privilege requirements makes it accessible to any user-level adversary on the target system.

Apple's security advisories detail the fix through improved input validation in the specified macOS updates. Security practitioners should ensure systems are updated to macOS Sequoia 15.7.4, Sonoma 14.8.4, or Tahoe 26.3 or later. Relevant advisories are available at https://support.apple.com/en-us/126348, https://support.apple.com/en-us/126349, and https://support.apple.com/en-us/126350.

Details

CWE(s): CWE-125

Affected Products

apple

macos

14.0 — 14.8.4 · 15.0 — 15.7.4 · 26.0 — 26.3

CVEs Like This One

CVE-2025-24265Same product: Apple Macos

CVE-2024-44199Same product: Apple Macos

CVE-2025-30458Same product: Apple Macos

CVE-2026-28832Same product: Apple Macos

CVE-2025-24228Same product: Apple Macos

CVE-2025-24196Same product: Apple Macos

CVE-2025-24256Same product: Apple Macos

CVE-2026-28842Same product: Apple Macos

CVE-2025-24246Same product: Apple Macos

CVE-2025-24229Same product: Apple Macos

References

https://support.apple.com/en-us/126348
Release Notes, Vendor Advisory · product-security@apple.com
https://support.apple.com/en-us/126349
Release Notes, Vendor Advisory · product-security@apple.com
https://support.apple.com/en-us/126350
Release Notes, Vendor Advisory · product-security@apple.com