Cyber Resilience

CVE-2026-20677

Critical

Published: 11 February 2026

Published
11 February 2026
Modified
02 April 2026
KEV Added
Patch
CVSS Score v3.1 9.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0026 17.6th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-20677 is a critical-severity Race Condition (CWE-362) vulnerability in Apple Ipados. Its CVSS base score is 9.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 17.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and SC-4 (Information in Shared System Resources).

Deeper analysis

CVE-2026-20677 is a race condition vulnerability in the handling of symbolic links, which allows a shortcut to bypass sandbox restrictions. The issue affects Apple's iOS and iPadOS prior to versions 18.7.5 and 26.3, macOS Sonoma prior to 14.8.4, macOS Tahoe prior to 26.3, and visionOS prior to 26.3. It is associated with CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization) and CWE-367 (Path Traversal: '..' and Absolute Path Equivalence Error), and carries a CVSS v3.1 base score of 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).

A remote attacker with no privileges or user interaction can exploit this vulnerability over the network, though it requires high attack complexity. Successful exploitation enables a shortcut to evade sandbox protections, potentially granting elevated access and resulting in high-impact confidentiality, integrity, and availability violations across a changed scope.

Apple's security advisories detail the fix through improved symbolic link handling in the listed patched versions. Mitigation involves updating to iOS 18.7.5 or 26.3, iPadOS 18.7.5 or 26.3, macOS Sonoma 14.8.4, macOS Tahoe 26.3, or visionOS 26.3. Additional details are available in the vendor's security content updates at https://support.apple.com/en-us/126346, https://support.apple.com/en-us/126347, https://support.apple.com/en-us/126348, https://support.apple.com/en-us/126350, and https://support.apple.com/en-us/126353.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A race condition was addressed with improved handling of symbolic links. This issue is fixed in iOS 18.7.5 and iPadOS 18.7.5, iOS 26.3 and iPadOS 26.3, macOS Sonoma 14.8.4, macOS Tahoe 26.3, visionOS 26.3. A shortcut may be able to…

more

bypass sandbox restrictions.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Race condition in symlink handling enables sandbox bypass on macOS/iOS, directly facilitating exploitation for privilege escalation with high impact.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-20626Same product: Apple Ipados
CVE-2026-20688Same product: Apple Ipados
CVE-2026-20615Same product: Apple Ipados
CVE-2025-24154Same product: Apple Ipados
CVE-2025-24173Same product: Apple Ipados
CVE-2025-31184Same product: Apple Ipados
CVE-2024-40771Same product: Apple Ipados
CVE-2025-30456Same product: Apple Ipados
CVE-2026-28951Same product: Apple Ipados
CVE-2026-20628Same product: Apple Ipados

Affected Assets

apple
ipados
≤ 18.7.5 · 26.0 — 26.3
apple
iphone os
≤ 18.7.5 · 26.0 — 26.3
apple
macos
≤ 14.8.4 · 26.0 — 26.3
apple
visionos
≤ 26.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the race condition vulnerability by requiring timely flaw remediation through patching the improper symbolic link handling that enables sandbox bypass.

prevent

Implements a reference monitor for complete mediation of access decisions on critical resources, preventing time-of-check-to-time-of-use race conditions in symlink handling.

prevent

Prevents unauthorized information transfer via shared system resources such as symbolic links, addressing the core exploitation mechanism of this sandbox bypass vulnerability.

References