CVE-2026-20687
Published: 25 March 2026
Summary
CVE-2026-20687 is a high-severity Use After Free (CWE-416) vulnerability in Apple Ipados. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the use-after-free vulnerability by identifying, prioritizing, and applying Apple's improved memory management patches.
Implements memory protection mechanisms that prevent unauthorized kernel memory access and use-after-free exploitation.
Enforces secure configuration settings for memory management and hardening features to reduce the risk of kernel memory corruption from unpatched systems.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Kernel use-after-free enables local privilege escalation via memory corruption/write from unprivileged app context.
NVD Description
A use after free issue was addressed with improved memory management. This issue is fixed in iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Sequoia 15.7.5, macOS Tahoe 26.4, tvOS 26.4, watchOS 26.4. An app may be…
more
able to cause unexpected system termination or write kernel memory.
Deeper analysisAI
CVE-2026-20687 is a use-after-free vulnerability (CWE-416) addressed through improved memory management in various Apple operating systems. It affects iOS and iPadOS versions prior to 18.7.7 and 26.4, macOS Sequoia prior to 15.7.5, macOS Tahoe prior to 26.4, and tvOS and watchOS prior to 26.4. The issue, published on 2026-03-25, carries a CVSS v3.1 base score of 7.1 (High), stemming from potential kernel memory corruption.
A local attacker with no privileges can exploit this vulnerability by convincing a user to interact with a malicious app (AV:L/AC:L/PR:N/UI:R). Successful exploitation allows the app to cause unexpected system termination, leading to denial of service, or to write to kernel memory, enabling high integrity (I:H) and availability (A:H) impacts with no confidentiality loss (C:N) and unchanged scope (S:U).
Apple security advisories, detailed at support pages such as https://support.apple.com/en-us/126792 through https://support.apple.com/en-us/126797, recommend updating to the fixed versions: iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Sequoia 15.7.5, macOS Tahoe 26.4, tvOS 26.4, and watchOS 26.4 to mitigate the issue.
Details
- CWE(s)