CVE-2026-20632: Use After Free
Published Mar 24, 2026
·Updated
802.1X. An authentication issue was addressed with improved state management.
Other sources
A parsing issue in the handling of directory paths was addressed with improved path validation. This issue is fixed in macOS Tahoe 26.4. An app may be able to access sensitive user data.
— NVD
Accounts. An authorization issue was addressed with improved state management.
— Apple
Admin Framework. A path handling issue was addressed with improved validation.
— Apple
apache. This is a vulnerability in open source code and Apple Software is among the affected projects. The CVE-ID was assigned by a third party. Learn more about the issue and CVE-ID at cve.org.
— Apple
AppleMobileFileIntegrity. A downgrade issue affecting Intel-based Mac computers was addressed with additional code-signing restrictions.
— Apple
Credit
Héloïse Gollier, Mathy Vanhoef (KU Leuven), Rosyna Keller(Totally Not Malicious Software), Ryan Dowd@@_rdowd, CVE-2025-55753, CVE-2025-58098, CVE-2025-59775, CVE-2025-65082, CVE-2025-66200, Mickey Jin@@patch1t, an anonymous researcher, Koh M. Nakagawa@@tsunek0h(FFRI Security Inc), Talal Haj Bakry(Mysk Inc), Tommy Mysk@@mysk_co(Mysk Inc), Zhongquan Li@@Guluisacat, Justin Cohen(Google), Jex Amro, Cristian Dinca (icmd.tech), Hossein Lotfi@@hosselot(TrendAI Zero Day Initiative), YingQi Shi@@Mas0nShi(DBAppSecurity's WeBin lab), Etienne Charron (Renault), Victoria Martini (Renault), Zhongcheng Li(IES Red Team), Andreas Jaegersberger & Ro Achterberg(Nosebeard Labs), Asaf Cohen, CVE-2025-14524, 风沐云烟@@binary_fmyy, Minghao Lin@@Y1nKoc, DARKNAVY@@DarkNavyOrg, XiguaSec, Ye Zhang(Baidu Security), Ryan Dowd@@_rdowd(Iru), Csaba Fitzl@@theevilbit(Iru), CVE-2025-64505, Joseph Ravichandran@@0xjprx(MIT CSAIL), Gor Aleksanyan(BoB 0xB6), Dhiyanesh Selvaraj@@redroot97(BoB 0xB6), 이동하 (Lee Dong Ha(BoB 0xB6), Jian Lee@@speedyfriend433, hari shanmugam, Johnny Franks@@zeroxjf, Yuebin Sun@@yuebinsun2020(SecuRing), an anonymous researcher(SecuRing), Nathaniel Oh@@calysteon(SecuRing), Kirin@@Pwnrin(SecuRing), Wojciech Regula(SecuRing), Joshua Jewett@@JoshJewett33, Ilya Andr (andrd3v)(Voynich Group), Ilias Morad (A2nkF)(Voynich Group), Duy Trần@@khanhduytran0, @@hugeBlack, Himanshu Bharti@@Xpl0itme(Khatima), Rodolphe Brunetti@@eisw0lf(Lupus Nova), Matej Moravec@@MacejkoMoravec, Dawuge(Shuffle Team), Hunan University, Gergely Kalman@@gergely_kalman, Andrei Dodu, Morris Richman@@morrisinlife, Kun Peeks@@SwayZGl1tZyyy, Gyujeong Jin at Team.0xb6@@G1uN4sh, wdszzml, Atuin Automated Vulnerability Discovery Engine, Alex Radocea, Christian Kohlschütter, Sreejith Krishnan R, Dave G., @@pixiepointsec, Luke Roberts@@rookuu, Pedro Tôrres@@t0rr3sp3dr0, Caspian Tarafdar, Andrew Becker, webb, Thomas Espach, @@hamayanhamayan, Yeonghyeon Choi, Daniel Rhea, Söhnke Benedikt Fischedick (Tripton), Emrovsky & Switch3301, Yevhen Pervushyn, Minse Kim, Narcis Oliveras Fontàs, Nathaniel Oh@@calysteon, Hongze Wu(Ant Group Infrastructure Security Team), Shuaike Dong(Ant Group Infrastructure Security Team), greenbynox, Arni Hardarson, Gongyu Ma@@Mezone0
Affected Software
2 affected componentsFixes available
Apple macOS Tahoe<26.4
26.4
Apple macOS>=26.0<26.4
Event History
Mar 24, 2026
Data Sourced
via Apple·12:00 AM
DescriptionWeaknessAffected Software
Updated
via Apple·12:00 AM
DescriptionWeakness
Mar 25, 2026
CVE Published
via MITRE·12:32 AM
Data Sourced
via MITRE·12:32 AM
DescriptionWeakness
Data Sourced
via NVD·01:17 AM
DescriptionSeverityWeaknessAffected Software
Peer vulnerabilities
Found alongside the following vulnerabilities.
- CVE-2026-28865
- CVE-2026-28877
- CVE-2026-28823
- CVE-2025-55753
- CVE-2025-58098
- CVE-2025-59775
- CVE-2025-65082
- CVE-2025-66200
- CVE-2026-28824
- CVE-2026-20696
- CVE-2026-20699
- CVE-2026-20684
- CVE-2026-20633
- CVE-2026-28910
- CVE-2026-28879
- CVE-2026-28822
- CVE-2026-28894
- CVE-2026-28866
- CVE-2026-20690
- CVE-2026-28821
- CVE-2026-28838
- CVE-2026-28886
- CVE-2026-28878
- CVE-2026-28888
- CVE-2026-28893
- CVE-2025-14524
- CVE-2026-28876
- CVE-2026-28892
- CVE-2026-28832
- CVE-2026-28870
- CVE-2026-28834
- CVE-2026-28881
- CVE-2026-28880
- CVE-2026-28833
- CVE-2025-64505
- CVE-2026-28842
- CVE-2026-28841
- CVE-2026-28868
- CVE-2026-28867
- CVE-2026-20698
- CVE-2026-20695
- CVE-2026-20687
- CVE-2026-28845
- CVE-2026-28882
- CVE-2026-20607
- CVE-2026-20692
- CVE-2026-20694
- CVE-2026-20632
- CVE-2026-28839
- CVE-2026-20701
- CVE-2026-28891
- CVE-2026-28827
- CVE-2026-28816
- CVE-2026-28826
- CVE-2026-20631
- CVE-2026-20693
- CVE-2026-28840
- CVE-2026-28862
- CVE-2026-28831
- CVE-2026-28817
- CVE-2026-20688
- CVE-2026-28864
- CVE-2026-28830
- CVE-2026-28860
- CVE-2026-28835
- CVE-2026-28825
- CVE-2026-28818
- CVE-2026-20697
- CVE-2026-28820
- CVE-2026-28837
- CVE-2026-28844
- CVE-2026-28828
- CVE-2026-28852
- CVE-2026-20657
- CVE-2026-28829
- CVE-2026-20665
- CVE-2026-20643
- CVE-2026-28871
- CVE-2026-20664
- CVE-2026-28857
- CVE-2026-28861
- CVE-2026-28859
- CVE-2026-20691