CVE-2026-20658

High

Published: 11 February 2026

Published

11 February 2026

Modified

25 February 2026

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0002 5.5th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-20658 is a high-severity an unspecified weakness vulnerability in Apple Macos. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 5.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-14 (Signed Components) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-7 Software, Firmware, and Information Integrity good match

prevent

Verifies software integrity using cryptographic mechanisms, directly preventing execution of invalid or tampered packages that enable privilege escalation.

CM-14 Signed Components good match

prevent

Requires signed components and signature validation prior to use, comprehensively mitigating package validation bypasses exploited for root privilege gain.

SI-2 Flaw Remediation good match

prevent

Mandates timely flaw remediation including vendor patches like macOS Tahoe 26.3, which blocks the vulnerable package to eliminate the privilege escalation risk.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

Local package validation bypass enabling root privilege escalation matches Exploitation for Privilege Escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A package validation issue was addressed by blocking the vulnerable package. This issue is fixed in macOS Tahoe 26.3. An app may be able to gain root privileges.

Deeper analysisAI

CVE-2026-20658 is a package validation vulnerability affecting macOS Tahoe versions prior to 26.3. The flaw enables an app to bypass validation checks, potentially allowing it to gain root privileges. Apple addressed the issue by blocking the vulnerable package, as detailed in their security advisory.

The vulnerability has a CVSS v3.1 base score of 7.8 (High), with a local attack vector (AV:L), low attack complexity (AC:L), and requires low privileges (PR:L) but no user interaction (UI:N). An attacker with local access and basic user privileges can exploit it to achieve high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), effectively escalating privileges to root level within the system.

Apple's advisory at https://support.apple.com/en-us/126348 confirms the fix in macOS Tahoe 26.3, recommending users update to this version to mitigate the issue by blocking the vulnerable package. No additional workarounds are specified.

Details

CWE(s): NVD-CWE-noinfo

Affected Products

apple

macos

26.0 — 26.3

CVEs Like This One

CVE-2025-24267Same product: Apple Macos

CVE-2026-28817Same product: Apple Macos

CVE-2025-24277Same product: Apple Macos

CVE-2025-24234Same product: Apple Macos

CVE-2025-24255Same product: Apple Macos

CVE-2025-24170Same product: Apple Macos

CVE-2025-24228Same product: Apple Macos

CVE-2026-28821Same product: Apple Macos

CVE-2025-30449Same product: Apple Macos

CVE-2026-20631Same product: Apple Macos

References

https://support.apple.com/en-us/126348
Release Notes, Vendor Advisory · product-security@apple.com