Login Sign Up

CVE-2026-20677

9.0 CRITICAL

📋 TL;DR

This CVE describes a race condition vulnerability in Apple operating systems that allows shortcuts to bypass sandbox restrictions through improper handling of symbolic links. Attackers could potentially escape application sandboxes to access restricted resources. Affects users of macOS, iOS, iPadOS, and visionOS who haven't applied security updates.

💻 Affected Systems

Products:
  • macOS
  • iOS
  • iPadOS
  • visionOS
Versions: Versions prior to macOS Tahoe 26.3, macOS Sonoma 14.8.4, iOS 18.7.5, iPadOS 18.7.5, visionOS 26.3, iOS 26.3, iPadOS 26.3
Operating Systems: macOS, iOS, iPadOS, visionOS
Default Config Vulnerable: ⚠️ Yes
Notes: All default configurations of affected operating systems are vulnerable. The vulnerability specifically affects the handling of symbolic links in shortcut/sandbox mechanisms.

📦 What is this software?

Ipados by Apple

View all CVEs affecting Ipados →

Ipados by Apple

View all CVEs affecting Ipados →

Iphone Os by Apple

View all CVEs affecting Iphone Os →

Iphone Os by Apple

View all CVEs affecting Iphone Os →

Macos by Apple

macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...

Learn more about Macos →

Macos by Apple

macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...

Learn more about Macos →

Visionos by Apple

View all CVEs affecting Visionos →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could execute arbitrary code with elevated privileges, access sensitive user data, or perform unauthorized system modifications by escaping application sandboxes.

🟠

Likely Case

Malicious shortcuts could access files or resources outside their intended sandbox, potentially leading to data theft or privilege escalation within affected applications.

🟢

If Mitigated

With proper patching, the vulnerability is eliminated; with application sandboxing and least privilege principles, impact would be limited even if exploited.

🌐 Internet-Facing: MEDIUM - While exploitation requires user interaction (running a malicious shortcut), web-based delivery mechanisms could facilitate attacks.
🏢 Internal Only: MEDIUM - Internal users with access to create or distribute shortcuts could exploit this, but requires specific conditions and user interaction.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires race condition timing and user interaction (running a malicious shortcut). No public exploit code is currently known.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: macOS Tahoe 26.3, macOS Sonoma 14.8.4, iOS 18.7.5, iPadOS 18.7.5, visionOS 26.3, iOS 26.3, iPadOS 26.3

Vendor Advisory: https://support.apple.com/en-us/126346

Restart Required: No

Instructions:

1. Open System Settings (macOS) or Settings (iOS/iPadOS/visionOS). 2. Navigate to General > Software Update. 3. Install the latest available update. 4. Verify the update completed successfully.

🔧 Temporary Workarounds

Disable Untrusted Shortcuts

all

Prevent execution of shortcuts from untrusted sources to reduce attack surface.

Settings > Privacy & Security > Security > Allow Apps Downloaded From: App Store

Restrict Shortcut Permissions

all

Review and limit permissions granted to existing shortcuts.

Settings > Privacy & Security > Security > Review shortcut permissions

🧯 If You Can't Patch

  • Implement application allowlisting to restrict which shortcuts can execute
  • Use mobile device management (MDM) to enforce security policies and restrict shortcut functionality

🔍 How to Verify

Check if Vulnerable:

Check current OS version against affected versions list. On macOS: sw_vers -productVersion. On iOS/iPadOS: Settings > General > About > Version.

Check Version:

macOS: sw_vers -productVersion; iOS/iPadOS/visionOS: Check in Settings > General > About

Verify Fix Applied:

Verify OS version matches or exceeds patched versions listed in the fix information.

📡 Detection & Monitoring

Log Indicators:

  • Unusual shortcut execution patterns
  • Sandbox violation logs
  • Symbolic link creation in shortcut contexts

Network Indicators:

  • Downloads of shortcut files from untrusted sources
  • Network traffic from shortcut processes attempting to access restricted resources

SIEM Query:

process_name:"Shortcuts" AND event_type:"sandbox_violation" OR file_path:"*symlink*"

📊 Metadata

CVE ID: CVE-2026-20677
CVSS v3 Score: 9.0 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-362
EPSS Score: 0.05% exploit probability (15.9th percentile)
Published: February 11, 2026
Last Updated: February 17, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-20677, you might also want to check these:

CVE-2025-43275 9.8

A race condition vulnerability in macOS allows malicious applications to escape their sandbox restri...

Same vulnerability type (CWE-362)
CVE-2021-32810 9.8

A race condition in crossbeam-deque Rust library versions before 0.7.4 and 0.8.0 allows tasks in wor...

Same vulnerability type (CWE-362)
CVE-2025-30444 9.8

A race condition vulnerability in macOS SMB client allows attackers to cause system termination (ker...

Same vulnerability type (CWE-362)