CVE-2026-20657 — Improper Restriction of Operations within the Bounds of a Memory Buffer in Apple IOS AND Ipados

CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-125 — Out-of-bounds Read CWE-787 — Out-of-bounds Write4 documents4 sources

Severity

6.5MEDIUMNVD

EPSS

0.0%

top 85.48%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apple IOS AND Ipados Apple Macos Apple Ipados +1 more

Timeline

PublishedMar 25

Description

The issue was addressed with improved memory handling. This issue is fixed in iOS 18.7.7 and iPadOS 18.7.7, macOS Sequoia 15.7.5, macOS Sonoma 14.8.5. Parsing a maliciously crafted file may lead to an unexpected app termination.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages5 packages

▶CVEListV5apple/macos< 14.8.5+1

▶NVDapple/macos14.0 — 14.8.5+1

▶NVDapple/ipados< 18.7.7

▶CVEListV5apple/ios_and_ipados< 18.7.7

▶NVDapple/iphone_os< 18.7.7

🔴Vulnerability Details

GHSA

GHSA-qm38-v5q7-v23r: The issue was addressed with improved memory handling↗2026-03-25

▶

CVEList

CVE-2026-20657: The issue was addressed with improved memory handling↗2026-03-25

▶

🕵️Threat Intelligence

Wiz

CVE-2026-20657 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶