Cyber Posture

CVE-2026-20639

High

Published: 25 March 2026

Published
25 March 2026
Modified
25 March 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0006 17.7th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-20639 is a high-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Apple Macos. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 17.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly addresses the integer overflow from maliciously crafted strings by requiring validation of inputs to prevent heap corruption.

SI-2 Flaw Remediation good match
prevent

Mandates timely flaw remediation through patching to the fixed macOS versions that incorporate improved input validation.

SI-16 Memory Protection partial match
prevent

Provides memory protection mechanisms to mitigate heap corruption even if an integer overflow occurs during string processing.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

Integer overflow leading to heap corruption enables remote DoS via application/system exploitation (T1499.004); no other techniques directly supported by the described impact or vector.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

An integer overflow was addressed with improved input validation. This issue is fixed in macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.3. Processing a maliciously crafted string may lead to heap corruption.

Deeper analysisAI

CVE-2026-20639 is an integer overflow vulnerability (CWE-190) that was addressed through improved input validation in various macOS versions. It affects macOS Sequoia prior to 15.7.5, macOS Sonoma prior to 14.8.5, and macOS Tahoe prior to 26.3. The flaw occurs during the processing of a maliciously crafted string, which can trigger heap corruption.

The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating it is exploitable over a network with low attack complexity, requiring no privileges or user interaction. Remote attackers can send a specially crafted string to affected systems, leading to heap corruption and potential denial-of-service through application crashes or system instability, though no direct confidentiality or integrity impacts are noted.

Apple's security advisories detail the fixes in the specified macOS updates (https://support.apple.com/en-us/126348, https://support.apple.com/en-us/126795, https://support.apple.com/en-us/126796). Security practitioners should prioritize patching to macOS Sequoia 15.7.5, Sonoma 14.8.5, or Tahoe 26.3, as these releases incorporate the input validation improvements to prevent exploitation.

Details

CWE(s)
CWE-190

Affected Products

apple
macos
14.0 — 14.8.5 · 15.0 — 15.7.5 · 26.0 — 26.3

CVEs Like This One

CVE-2026-28842Same product: Apple Macos
CVE-2025-24139Same product: Apple Macos
CVE-2025-43244Same product: Apple Macos
CVE-2025-46290Same product: Apple Macos
CVE-2025-24120Same product: Apple Macos
CVE-2025-24156Same product: Apple Macos
CVE-2025-30444Same product: Apple Macos
CVE-2025-24265Same product: Apple Macos
CVE-2025-24273Same product: Apple Macos
CVE-2024-44199Same product: Apple Macos

References