CVE-2026-20667
Published: 11 February 2026
Summary
CVE-2026-20667 is a high-severity Protection Mechanism Failure (CWE-693) vulnerability in Apple Macos. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 6.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Process isolation directly prevents malicious apps from escaping sandbox boundaries by enforcing separation between application processes and unauthorized system resources.
The reference monitor mediates all subject-object access decisions, ensuring robust enforcement of sandbox policies against logic flaws allowing breakout.
Access enforcement implements improved checks and policies to restrict app access beyond sandbox confines, directly addressing the logic issue exploited for escape.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Sandbox escape vulnerability directly enables local privilege escalation from a low-privileged app to full system access.
NVD Description
A logic issue was addressed with improved checks. This issue is fixed in iOS 26.3 and iPadOS 26.3, macOS Sequoia 15.7.4, macOS Sonoma 14.8.4, macOS Tahoe 26.3, watchOS 26.3. An app may be able to break out of its sandbox.
Deeper analysisAI
CVE-2026-20667 is a logic issue in Apple's sandboxing mechanism that was addressed through improved checks, enabling a malicious app to potentially escape its sandboxed environment. The vulnerability affects iOS and iPadOS prior to version 26.3, macOS Sequoia prior to 15.7.4, macOS Sonoma prior to 14.8.4, macOS Tahoe prior to 26.3, and watchOS prior to 26.3. It has a CVSS v3.1 base score of 8.8 (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) and is associated with CWE-693 (Protection Mechanism Failure), though NVD provides no additional CWE details.
A local attacker with low privileges, such as a user-installed malicious app, can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation allows the app to break out of its sandbox, achieving high confidentiality, integrity, and availability impacts with a change in scope, potentially compromising the underlying system.
Apple's security advisories detail the fix in the specified software updates, recommending users apply iOS 26.3, iPadOS 26.3, macOS Sequoia 15.7.4, macOS Sonoma 14.8.4, macOS Tahoe 26.3, or watchOS 26.3 as the primary mitigation. Further details are available in the referenced support pages: https://support.apple.com/en-us/126346, https://support.apple.com/en-us/126348, https://support.apple.com/en-us/126349, https://support.apple.com/en-us/126350, and https://support.apple.com/en-us/126352.
Details
- CWE(s)