CVE-2026-20631

High

Published: 25 March 2026

Published

25 March 2026

Modified

26 March 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0004 12.2th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-20631 is a high-severity an unspecified weakness vulnerability in Apple Macos. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 12.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely remediation of software flaws, directly mitigating this logic issue by applying the macOS Tahoe 26.4 patch.

AC-3 Access Enforcement good match

prevent

Enforces logical access authorizations with improved checks to prevent unauthorized privilege elevation exploited by this logic flaw.

AC-6 Least Privilege partial match

prevent

Implements least privilege to restrict low-privilege users from gaining elevated access, limiting the scope of exploitation.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

The CVE describes a logic flaw enabling local privilege escalation from low-privileged user context, directly matching T1068 Exploitation for Privilege Escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A logic issue was addressed with improved checks. This issue is fixed in macOS Tahoe 26.4. A user may be able to elevate privileges.

Deeper analysisAI

CVE-2026-20631 is a logic issue addressed with improved checks in macOS. The vulnerability affects macOS versions prior to Tahoe 26.4 and enables a user to elevate privileges. It has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE category NVD-CWE-noinfo.

An attacker with low privileges (PR:L) can exploit this vulnerability over the network (AV:N) with low attack complexity and no user interaction required. Successful exploitation results in high impacts to confidentiality, integrity, and availability, allowing the attacker to elevate privileges.

Apple's security advisory confirms the issue is fixed in macOS Tahoe 26.4. Security practitioners should apply this update to mitigate the vulnerability. Additional details are available at https://support.apple.com/en-us/126794.

Details

CWE(s): NVD-CWE-noinfo

Affected Products

apple

macos

26.0 — 26.4

CVEs Like This One

CVE-2025-24267Same product: Apple Macos

CVE-2026-28817Same product: Apple Macos

CVE-2025-24277Same product: Apple Macos

CVE-2025-24234Same product: Apple Macos

CVE-2025-24255Same product: Apple Macos

CVE-2025-24170Same product: Apple Macos

CVE-2025-24228Same product: Apple Macos

CVE-2026-20658Same product: Apple Macos

CVE-2026-28821Same product: Apple Macos

CVE-2025-30449Same product: Apple Macos

References

https://support.apple.com/en-us/126794
Vendor Advisory · product-security@apple.com