Home / Vulnerability Intelligence / CVE-2026-20677

CVE-2026-20677 - Vulnerability Analysis

CriticalCVSS: 9.0

Last Updated: February 12, 2026

Apple macOS & iOS - Race Condition

Published: February 11, 2026Updated: February 12, 2026Remote Exploitable

Overview

Apple macOS Tahoe 26.3, macOS Sonoma 14.8.4, iOS 18.7.5, iPadOS 18.7.5, visionOS 26.3, iOS 26.3, and iPadOS 26.3 contain a race condition caused by improper handling of symbolic links, letting attackers bypass sandbox restrictions, exploit requires creating a shortcut.

Severity & Score

Severity: Critical

CVSS Score: 9.0

EPSS Score: 5.2%(Probability of exploitation in next 30 days)

Impact

Attackers can bypass sandbox restrictions, potentially leading to unauthorized access or privilege escalation.

Mitigation

Update to macOS Tahoe 26.3, macOS Sonoma 14.8.4, iOS 18.7.5, iPadOS 18.7.5, visionOS 26.3, iOS 26.3, and iPadOS 26.3 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Feb 13, 2026

🔴 CVE-2026-20677 - Critical (9) A race condition was addressed with improved handling of symbolic links. This issue is fixed in macOS Tahoe 26.3, macOS Sonoma 14.8.4, iOS 18.7.5 and iPadOS 18.7.5, visionOS 26.3, iOS 26.3 and iPadOS 26.3. A shortcut may be able to bypass sandbox ... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-20677/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-20677
Severity: Critical
CVSS Score: 9.0
Type: race_condition
Status: confirmed
EPSS: 5.2%
Social Posts: 1

CWE

CWE-362

CVSS Metrics

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score

5.2%Probability of exploitation in the next 30 days