CVE-2026-20618: Input Validation
Published Feb 11, 2026
·Updated
Admin Framework. A parsing issue in the handling of directory paths was addressed with improved path validation.
Other sources
An issue was addressed with improved handling of temporary files. This issue is fixed in macOS Tahoe 26.3. An app may be able to access user-sensitive data.
— NVD
AppleEvents. An authorization issue was addressed with improved state management.
— Apple
AppleKeyStore. A use after free issue was addressed with improved memory management.
— Apple
AppleMobileFileIntegrity. A parsing issue in the handling of directory paths was addressed with improved path validation.
— Apple
AppleMobileFileIntegrity. An injection issue was addressed with improved validation.
— Apple
Credit
Mickey Jin@@patch1t, Noah Gregory (wts.dev), Johnny Franks (zeroxjf), an anonymous researcher, Ryan Dowd@@_rdowd, jioundai, Amy (amys.website), @@cloudlldb, Kirin@@Pwnrin(Fudan University), LFY@@secsys(Fudan University), Anonymous(Trend Micro Zero Day Initiative), Yiğit Can YILMAZ@@yilmazcanyigit, Golden Helm Securities(Iru), Gergely Kalman@@gergely_kalman(Iru), Csaba Fitzl@@theevilbit(Iru), Gergely Kalman@@gergely_kalman, Google Threat Analysis Group, Kirin@@Pwnrin, Asaf Cohen, Murray Mike, George Karchemsky@@gkarchemsky(Trend Micro Zero Day Initiative), Jian Lee@@speedyfriend433, Keisuke Hosoda, Xin'an Zhou, Juefei Pu, Zhutian Liu, Zhiyun Qian, Zhaowei Tan, Srikanth V. Krishnamurthy, Mathy Vanhoef, CVE-2025-59375, Ron Masas(BreakPoint), Chunyu Song(NorthSea), Rodolphe Brunetti@@eisw0lf(Lupus Nova), Michael DePlante@@izobashi(Trend Micro Zero Day Initiative), Pwn2car, Enis Maholli (enismaholli.com), Morris Richman@@morrisinlife, Vivek Dhar, ASI (RM) in Border Security Force, FTR HQ BSF Kashmir, Gongyu Ma@@Mezone0, LeminLimez, Nathaniel Oh@@calysteon, HanQing(TSDubhe), Nan Wang@@eternalsakura13, Tom Van Goethem, EntryHi, Wang Yu(Cyberserval)
Affected Software
2 affected componentsFixes available
Apple macOS Tahoe<26.3
26.3
Apple macOS<26.3
Event History
Feb 11, 2026
Data Sourced
via Apple·12:00 AM
DescriptionWeaknessAffected Software
Updated
via Apple·12:00 AM
DescriptionWeakness
Updated
via Apple·12:00 AM
Description
CVE Published
via MITRE·10:58 PM
Data Sourced
via MITRE·10:58 PM
DescriptionWeakness
Data Sourced
via NVD·11:16 PM
DescriptionSeverityWeaknessAffected Software
Peer vulnerabilities
Found alongside the following vulnerabilities.
- CVE-2026-20669
- CVE-2026-20670
- CVE-2026-20637
- CVE-2026-20625
- CVE-2026-20624
- CVE-2026-20650
- CVE-2026-20660
- CVE-2026-20639
- CVE-2026-20681
- CVE-2026-20611
- CVE-2026-20609
- CVE-2026-20617
- CVE-2026-20615
- CVE-2026-20627
- CVE-2025-14174
- CVE-2025-43529
- CVE-2026-20700
- CVE-2026-20668
- CVE-2026-20629
- CVE-2026-20601
- CVE-2026-20623
- CVE-2026-20649
- CVE-2026-20620
- CVE-2026-20675
- CVE-2026-20634
- CVE-2026-20654
- CVE-2026-20626
- CVE-2026-20671
- CVE-2026-20630
- CVE-2025-59375
- CVE-2026-20667
- CVE-2026-20673
- CVE-2026-20677
- CVE-2026-20651
- CVE-2026-20694
- CVE-2026-20616
- CVE-2026-20603
- CVE-2026-20666
- CVE-2026-20614
- CVE-2026-20656
- CVE-2026-20628
- CVE-2026-28855
- CVE-2026-20658
- CVE-2026-20610
- CVE-2026-20653
- CVE-2026-20622
- CVE-2026-20648
- CVE-2026-20662
- CVE-2026-20647
- CVE-2026-20680
- CVE-2026-20612
- CVE-2026-20699
- CVE-2026-20641
- CVE-2026-20619
- CVE-2026-20618
- CVE-2026-20606
- CVE-2026-20605
- CVE-2026-20646
- CVE-2026-20652
- CVE-2026-20608
- CVE-2026-20676
- CVE-2026-20644
- CVE-2026-20636
- CVE-2026-20635
- CVE-2026-20621
- CVE-2026-20602