CVE-2026-20700 - Vulnerability Analysis
HighCVSS: 7.8Last Updated: February 13, 2026
Apple - Buffer Overflow
Overview
Apple watchOS 26.3, tvOS 26.3, macOS Tahoe 26.3, visionOS 26.3, iOS 26.3, and iPadOS 26.3 contain a buffer overflow caused by improper state management, letting attackers with memory write capability execute arbitrary code, exploit requires memory write capability.
Severity & Score
Impact
Attackers with memory write capability can execute arbitrary code, potentially leading to full system compromise.
Mitigation
Update to version 26.3 or later.
References
Social Media Activity(2 posts)
There is a bunch of buzz along the lines of "Apple FINALLY backports DarkSword related fixes to 18.x and will release this on April 1". Based on publicly available information this is incorrect. What Apple has actually done broadened the device models that are eligible to upgrade to iOS/iPadOS 18. Per Google [1] every vuln in the DarkSword kit except for CVE-2026-20700 had already been patched in iOS 18 as of 18.7.3 which was released on Dec 12, 2025. Per Apple [2], CVE-2026-20700 is not included in 18.7.7 which was released today. Apple has placed an easy to miss note at the top of the release notes: "We enabled the availability of iOS 18.7.7 for more devices on April 1, 2026, so users with Automatic Updates turned on can automatically receive important security protections from web attacks called Darksword. The fixes associated with the Darksword exploit first shipped in 2025." Unfortunately I don't see an indication of which devices are newly eligible to upgrade to iOS/iPadOS 18. References: Google DarkSword writeup - https://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain Apple iOS/iPadOS 18.7.7 release notes: https://support.apple.com/en-us/126793 #Security #Apple #DarkSword
View original post
There is a bunch of buzz along the lines of "Apple FINALLY backports DarkSword related fixes to 18.x and will release this on April 1". Based on publicly available information this is incorrect. What Apple has actually done broadened the device models that are eligible to upgrade to iOS/iPadOS 18. Per Google [1] every vuln in the DarkSword kit except for CVE-2026-20700 had already been patched in iOS 18 as of 18.7.3 which was released on Dec 12, 2025. Per Apple [2], CVE-2026-20700 is not included in 18.7.7 which was released today. Apple has placed an easy to miss note at the top of the release notes: "We enabled the availability of iOS 18.7.7 for more devices on April 1, 2026, so users with Automatic Updates turned on can automatically receive important security protections from web attacks called Darksword. The fixes associated with the Darksword exploit first shipped in 2025." Unfortunately I don't see an indication of which devices are newly eligible to upgrade to iOS/iPadOS 18. References: Google DarkSword writeup - https://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain Apple iOS/iPadOS 18.7.7 release notes: https://support.apple.com/en-us/126793 #Security #Apple #DarkSword
View original postRelated Resources
Details
- CVE ID
- CVE-2026-20700
- Severity
- High
- CVSS Score
- 7.8
- Type
- buffer_overflow
- Status
- confirmed
- EPSS
- 30.2%
- Social Posts
- 2
CWE
- CWE-119
CVSS Metrics
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H