CVE-2026-20677
Published: 11 February 2026
Summary
CVE-2026-20677 is a critical-severity Race Condition (CWE-362) vulnerability in Apple Ipados. Its CVSS base score is 9.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 20.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and SC-4 (Information in Shared System Resources).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the race condition vulnerability by requiring timely flaw remediation through patching the improper symbolic link handling that enables sandbox bypass.
Implements a reference monitor for complete mediation of access decisions on critical resources, preventing time-of-check-to-time-of-use race conditions in symlink handling.
Prevents unauthorized information transfer via shared system resources such as symbolic links, addressing the core exploitation mechanism of this sandbox bypass vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Race condition in symlink handling enables sandbox bypass on macOS/iOS, directly facilitating exploitation for privilege escalation with high impact.
NVD Description
A race condition was addressed with improved handling of symbolic links. This issue is fixed in iOS 18.7.5 and iPadOS 18.7.5, iOS 26.3 and iPadOS 26.3, macOS Sonoma 14.8.4, macOS Tahoe 26.3, visionOS 26.3. A shortcut may be able to…
more
bypass sandbox restrictions.
Deeper analysisAI
CVE-2026-20677 is a race condition vulnerability in the handling of symbolic links, which allows a shortcut to bypass sandbox restrictions. The issue affects Apple's iOS and iPadOS prior to versions 18.7.5 and 26.3, macOS Sonoma prior to 14.8.4, macOS Tahoe prior to 26.3, and visionOS prior to 26.3. It is associated with CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization) and CWE-367 (Path Traversal: '..' and Absolute Path Equivalence Error), and carries a CVSS v3.1 base score of 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).
A remote attacker with no privileges or user interaction can exploit this vulnerability over the network, though it requires high attack complexity. Successful exploitation enables a shortcut to evade sandbox protections, potentially granting elevated access and resulting in high-impact confidentiality, integrity, and availability violations across a changed scope.
Apple's security advisories detail the fix through improved symbolic link handling in the listed patched versions. Mitigation involves updating to iOS 18.7.5 or 26.3, iPadOS 18.7.5 or 26.3, macOS Sonoma 14.8.4, macOS Tahoe 26.3, or visionOS 26.3. Additional details are available in the vendor's security content updates at https://support.apple.com/en-us/126346, https://support.apple.com/en-us/126347, https://support.apple.com/en-us/126348, https://support.apple.com/en-us/126350, and https://support.apple.com/en-us/126353.
Details
- CWE(s)