CVE-2026-20677_CVE-2026-20677

9 / 10

CRITICAL

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Description

A race condition was addressed with improved handling of symbolic links. This issue is fixed in macOS Tahoe 26.3, macOS Sonoma 14.8.4, iOS 18.7.5 and iPadOS 18.7.5, visionOS 26.3, iOS 26.3 and iPadOS 26.3. A shortcut may be able to bypass sandbox restrictions.

AI Analysis

A race condition vulnerability in macOS allows a shortcut to bypass sandbox restrictions

Basic Information

ID CVE-2026-20677

Source apple

Published Feb 11, 2026 at 22:58

Modified Feb 17, 2026 at 15:31

Affected Product

Vendor Apple

Product macOS

Version unspecified

Affected Versions Apple macOS unspecified
Apple visionOS unspecified
Apple macOS unspecified
Apple iOS and iPadOS unspecified
Apple iOS and iPadOS unspecified

CWE Classification

CWE-367

AI Assessment

AI Score 9 / 10

AI Severity Critical

Vendor Apple

Product macOS, iOS, iPadOS, visionOS

Version Tahoe 26.3, Sonoma 14.8.4, 18.7.5, 26.3

References

{
    "lastseen": "",
    "description": "A race condition was addressed with improved handling of symbolic links. This issue is fixed in macOS Tahoe 26.3, macOS Sonoma 14.8.4, iOS 18.7.5 and iPadOS 18.7.5, visionOS 26.3, iOS 26.3 and iPadOS 26.3. A shortcut may be able to bypass sandbox restrictions.",
    "published": "2026-02-11T22:58:18.222Z",
    "modified": "2026-02-17T15:31:49.164Z",
    "type": "cve",
    "title": "CVE-2026-20677",
    "source": "apple",
    "references": "https://support.apple.com/en-us/126348\nhttps://support.apple.com/en-us/126353\nhttps://support.apple.com/en-us/126350\nhttps://support.apple.com/en-us/126346\nhttps://support.apple.com/en-us/126347",
    "id": "CVE-2026-20677",
    "bulletinFamily": "",
    "cwe": [
        "CWE-367"
    ],
    "cvelist": null,
    "sourceData": "Apple macOS unspecified\nApple visionOS unspecified\nApple macOS unspecified\nApple iOS and iPadOS unspecified\nApple iOS and iPadOS unspecified",
    "sourceHref": "",
    "cvss": {
        "score": 9,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "macOS",
    "version": "unspecified",
    "vendor": "Apple",
    "ai_description": "A race condition vulnerability in macOS allows a shortcut to bypass sandbox restrictions",
    "ai_severity": "Critical",
    "ai_vendor": "Apple",
    "ai_product": "macOS, iOS, iPadOS, visionOS",
    "ai_version": "Tahoe 26.3, Sonoma 14.8.4, 18.7.5, 26.3",
    "ai_score": 9
}