Cyber Resilience

CVE-2026-20639

High

Published: 25 March 2026

Published
25 March 2026
Modified
25 March 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0006 18.9th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-20639 is a high-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Apple Macos. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 18.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-20639 is an integer overflow vulnerability (CWE-190) that was addressed through improved input validation in various macOS versions. It affects macOS Sequoia prior to 15.7.5, macOS Sonoma prior to 14.8.5, and macOS Tahoe prior to 26.3. The flaw occurs during the processing of a maliciously crafted string, which can trigger heap corruption.

The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating it is exploitable over a network with low attack complexity, requiring no privileges or user interaction. Remote attackers can send a specially crafted string to affected systems, leading to heap corruption and potential denial-of-service through application crashes or system instability, though no direct confidentiality or integrity impacts are noted.

Apple's security advisories detail the fixes in the specified macOS updates (https://support.apple.com/en-us/126348, https://support.apple.com/en-us/126795, https://support.apple.com/en-us/126796). Security practitioners should prioritize patching to macOS Sequoia 15.7.5, Sonoma 14.8.5, or Tahoe 26.3, as these releases incorporate the input validation improvements to prevent exploitation.

EU & UK References

Vulnerability details

An integer overflow was addressed with improved input validation. This issue is fixed in macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.3. Processing a maliciously crafted string may lead to heap corruption.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Integer overflow leading to heap corruption enables remote DoS via application/system exploitation (T1499.004); no other techniques directly supported by the described impact or vector.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-24265Same product: Apple Macos
CVE-2026-28842Same product: Apple Macos
CVE-2025-30444Same product: Apple Macos
CVE-2025-24139Same product: Apple Macos
CVE-2025-24156Same product: Apple Macos
CVE-2026-28848Same product: Apple Macos
CVE-2025-43244Same product: Apple Macos
CVE-2025-24120Same product: Apple Macos
CVE-2025-46290Same product: Apple Macos
CVE-2026-28952Same product: Apple Macos

Affected Assets

apple
macos
14.0 — 14.8.5 · 15.0 — 15.7.5 · 26.0 — 26.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the integer overflow from maliciously crafted strings by requiring validation of inputs to prevent heap corruption.

prevent

Mandates timely flaw remediation through patching to the fixed macOS versions that incorporate improved input validation.

prevent

Provides memory protection mechanisms to mitigate heap corruption even if an integer overflow occurs during string processing.

References