CVE-2026-20662
📋 TL;DR
This macOS vulnerability allows an attacker with physical access to a locked device to bypass authorization controls and view sensitive user information. It affects macOS systems before specific security updates. Users with sensitive data on their Macs are at risk if devices are left unattended.
💻 Affected Systems
- macOS
📦 What is this software?
Macos by Apple
macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...
Learn more about Macos →Macos by Apple
macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...
Learn more about Macos →⚠️ Risk & Real-World Impact
Worst Case
Physical attacker gains access to sensitive personal, financial, or corporate data stored on the device while it appears locked.
Likely Case
Unauthorized viewing of recent notifications, messages, or files accessible from lock screen without full system access.
If Mitigated
No data exposure due to proper physical security controls preventing unauthorized device access.
🎯 Exploit Status
Requires physical device access and specific timing/conditions. No remote exploitation possible.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: macOS Sequoia 15.7.4 or macOS Tahoe 26.3
Vendor Advisory: https://support.apple.com/en-us/126348
Restart Required: Yes
Instructions:
1. Open System Settings 2. Click General 3. Click Software Update 4. Install available updates 5. Restart when prompted
🔧 Temporary Workarounds
Enhanced Physical Security
allEnsure devices are physically secured when unattended to prevent unauthorized access.
Immediate Locking
macOSConfigure shorter screen lock timeouts and require immediate password on wake.
🧯 If You Can't Patch
- Implement strict physical security controls for all vulnerable devices
- Enable FileVault encryption to protect data at rest
🔍 How to Verify
Check if Vulnerable:
Check macOS version in System Settings > General > About. If version is earlier than Sequoia 15.7.4 or Tahoe 26.3, device is vulnerable.Check Version:
sw_versVerify Fix Applied:
Confirm macOS version shows Sequoia 15.7.4 or Tahoe 26.3 or later in System Settings > General > About.📡 Detection & Monitoring
Log Indicators:
- Unusual lock/unlock patterns
- Failed authentication attempts followed by successful screen access
Network Indicators:
- None - purely local physical attack
SIEM Query:
source="macOS" (event="screen_unlock" OR event="authentication") | stats count by user, device_id