Skip to main content

Apple CVE-2026-20657

| EUVDEUVD-2026-15047 MEDIUM
Buffer Overflow (CWE-119)
2026-03-25 apple GHSA-qm38-v5q7-v23r
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
14.8.5,15.7.5,18.7.7
EUVD ID Assigned
Mar 25, 2026 - 01:00 euvd
EUVD-2026-15047
Analysis Generated
Mar 25, 2026 - 01:00 vuln.today
CVE Published
Mar 25, 2026 - 00:31 nvd
MEDIUM 6.5

DescriptionCVE.org

The issue was addressed with improved memory handling. This issue is fixed in iOS 18.7.7 and iPadOS 18.7.7, macOS Sequoia 15.7.5, macOS Sonoma 14.8.5. Parsing a maliciously crafted file may lead to an unexpected app termination.

AnalysisAI

Improper memory handling in Apple iOS, iPadOS, and macOS allows remote denial of service when processing maliciously crafted files, potentially causing unexpected application crashes. An attacker can trigger this vulnerability by delivering a specially crafted file to a victim, resulting in app termination without requiring user privileges or interaction beyond opening the file. No patch is currently available for this medium-severity vulnerability affecting multiple Apple platforms.

Technical ContextAI

The vulnerability resides in Apple's file parsing mechanisms, which handle maliciously crafted input files without proper memory bounds checking or validation. The affected components span across multiple Apple operating systems (iOS, iPadOS, and macOS) as indicated by the broad CPE classifications (cpe:2.3:a:apple:ios_and_ipados and cpe:2.3:a:apple:macos), suggesting the issue may be in a shared code library or framework used across these platforms. While no specific CWE is provided, the vulnerability class relates to improper memory management—likely CWE-119 (Buffer Overflow), CWE-125 (Out-of-bounds Read), or CWE-787 (Out-of-bounds Write)—where insufficient validation of file structure or size parameters allows malformed input to cause memory access violations. The fix indicates Apple implemented improved memory handling, such as bounds checking, safe memory allocation practices, or stricter input validation in the file parsing routines.

RemediationAI

Immediate remediation requires upgrading affected devices to the patched versions: iOS and iPadOS users must update to version 18.7.7 or later, macOS Sequoia users must update to 15.7.5 or later, and macOS Sonoma users must update to 14.8.5 or later. These updates are available through each platform's system software update mechanism (Settings > General > Software Update on iOS/iPadOS; System Settings > General > Software Update on macOS). For enterprise deployments, administrators should use Mobile Device Management (MDM) tools to enforce and track software updates across managed devices. Until patching can be completed, users should avoid opening files from untrusted sources and disable automatic file preview features if available. Organizations should prioritize patching, particularly for devices handling sensitive file processing or exposed to external file inputs.

Share

CVE-2026-20657 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy