CVE-2026-20639: Use After Free
Published Feb 11, 2026
·Updated
802.1X. An authentication issue was addressed with improved state management.
Other sources
Accounts. An authorization issue was addressed with improved state management.
— Apple
Admin Framework. A parsing issue in the handling of directory paths was addressed with improved path validation.
— Apple
An integer overflow was addressed with improved input validation. This issue is fixed in macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.3. Processing a maliciously crafted string may lead to heap corruption.
— MITRE
apache. This is a vulnerability in open source code and Apple Software is among the affected projects. The CVE-ID was assigned by a third party. Learn more about the issue and CVE-ID at cve.org.
— Apple
AppleEvents. An authorization issue was addressed with improved state management.
— Apple
Credit
Mickey Jin@@patch1t, Noah Gregory (wts.dev), Johnny Franks (zeroxjf), an anonymous researcher, Ryan Dowd@@_rdowd, jioundai, Amy (amys.website), @@cloudlldb, Kirin@@Pwnrin(Fudan University), LFY@@secsys(Fudan University), Anonymous(Trend Micro Zero Day Initiative), Yiğit Can YILMAZ@@yilmazcanyigit, Golden Helm Securities(Iru), Gergely Kalman@@gergely_kalman(Iru), Csaba Fitzl@@theevilbit(Iru), Gergely Kalman@@gergely_kalman, Google Threat Analysis Group, Kirin@@Pwnrin, Asaf Cohen, Murray Mike, George Karchemsky@@gkarchemsky(Trend Micro Zero Day Initiative), Jian Lee@@speedyfriend433, Keisuke Hosoda, Xin'an Zhou, Juefei Pu, Zhutian Liu, Zhiyun Qian, Zhaowei Tan, Srikanth V. Krishnamurthy, Mathy Vanhoef, CVE-2025-59375, Ron Masas(BreakPoint), Chunyu Song(NorthSea), Rodolphe Brunetti@@eisw0lf(Lupus Nova), Michael DePlante@@izobashi(Trend Micro Zero Day Initiative), Pwn2car, Enis Maholli (enismaholli.com), Morris Richman@@morrisinlife, Vivek Dhar, ASI (RM) in Border Security Force, FTR HQ BSF Kashmir, Gongyu Ma@@Mezone0, LeminLimez, Nathaniel Oh@@calysteon, HanQing(TSDubhe), Nan Wang@@eternalsakura13, Tom Van Goethem, EntryHi, Wang Yu(Cyberserval), Rosyna Keller(Totally Not Malicious Software), CVE-2025-55753, CVE-2025-58098, CVE-2025-59775, CVE-2025-65082, CVE-2025-66200, Justin Cohen(Google), Jex Amro, Cristian Dinca (icmd.tech), Hossein Lotfi@@hosselot(TrendAI Zero Day Initiative), YingQi Shi@@Mas0nShi(DBAppSecurity's WeBin lab), Etienne Charron (Renault), Victoria Martini (Renault), Andreas Jaegersberger & Ro Achterberg(Nosebeard Labs), CVE-2025-14524, 风沐云烟@@binary_fmyy, Minghao Lin@@Y1nKoc, DARKNAVY@@DarkNavyOrg, Zhongcheng Li(IES Red Team), CVE-2025-64505, Gor Aleksanyan(BoB 0xB6), Dhiyanesh Selvaraj@@redroot97(BoB 0xB6), 이동하 (Lee Dong Ha(BoB 0xB6), hari shanmugam, Johnny Franks@@zeroxjf, Sreejith Krishnan R, Himanshu Bharti@@Xpl0itme(Khatima), Matej Moravec@@MacejkoMoravec, Dawuge(Shuffle Team), Hunan University, Kun Peeks@@SwayZGl1tZyyy, Gyujeong Jin at Team.0xb6@@G1uN4sh, wdszzml, Atuin Automated Vulnerability Discovery Engine, Alex Radocea, Christian Kohlschütter, Dave G., @@pixiepointsec, Caspian Tarafdar, Andrew Becker, Héloïse Gollier, Mathy Vanhoef (KU Leuven)
Affected Software
6 affected componentsFixes available
Apple macOS Sequoia<15.7.5
15.7.5
Apple macOS Sonoma<14.8.5
14.8.5
Apple macOS Tahoe<26.3
26.3
Apple macOS>=14.0<14.8.5
Apple macOS>=15.0<15.7.5
Apple macOS>=26.0<26.3
Event History
Feb 11, 2026
Data Sourced
via Apple·12:00 AM
DescriptionWeaknessAffected Software
Updated
via Apple·12:00 AM
Description
Updated
via Apple·12:00 AM
DescriptionWeakness
Mar 24, 2026
Updated
via Apple·12:00 AM
DescriptionWeaknessAffected Software
Updated
via Apple·12:00 AM
DescriptionAffected Software
Mar 25, 2026
CVE Published
via MITRE·12:32 AM
Data Sourced
via MITRE·12:32 AM
DescriptionWeakness
Data Sourced
via NVD·01:17 AM
DescriptionSeverityWeaknessAffected Software
Parent advisories
This vulnerability appears in the following advisories.
Peer vulnerabilities
Found alongside the following vulnerabilities.
- CVE-2026-20669
- CVE-2026-20670
- CVE-2026-20637
- CVE-2026-20625
- CVE-2026-20624
- CVE-2026-20650
- CVE-2026-20660
- CVE-2026-20639
- CVE-2026-20681
- CVE-2026-20611
- CVE-2026-20609
- CVE-2026-20617
- CVE-2026-20615
- CVE-2026-20627
- CVE-2025-14174
- CVE-2025-43529
- CVE-2026-20700
- CVE-2026-20668
- CVE-2026-20629
- CVE-2026-20601
- CVE-2026-20623
- CVE-2026-20649
- CVE-2026-20620
- CVE-2026-20675
- CVE-2026-20634
- CVE-2026-20654
- CVE-2026-20626
- CVE-2026-20671
- CVE-2026-20630
- CVE-2025-59375
- CVE-2026-20667
- CVE-2026-20673
- CVE-2026-20677
- CVE-2026-20651
- CVE-2026-20694
- CVE-2026-20616
- CVE-2026-20603
- CVE-2026-20666
- CVE-2026-20614
- CVE-2026-20656
- CVE-2026-20628
- CVE-2026-28855
- CVE-2026-20658
- CVE-2026-20610
- CVE-2026-20653
- CVE-2026-20622
- CVE-2026-20648
- CVE-2026-20662
- CVE-2026-20647
- CVE-2026-20680
- CVE-2026-20612
- CVE-2026-20699
- CVE-2026-20641
- CVE-2026-20619
- CVE-2026-20618
- CVE-2026-20606
- CVE-2026-20605
- CVE-2026-20646
- CVE-2026-20652
- CVE-2026-20608
- CVE-2026-20676
- CVE-2026-20644
- CVE-2026-20636
- CVE-2026-20635
- CVE-2026-20621
- CVE-2026-20602
- CVE-2026-28865
- CVE-2026-28877
- CVE-2025-55753
- CVE-2025-58098
- CVE-2025-59775
- CVE-2025-65082
- CVE-2025-66200
- CVE-2026-28824
- CVE-2026-28879
- CVE-2026-28822
- CVE-2026-28894
- CVE-2026-28866
- CVE-2026-20690
- CVE-2026-28821
- CVE-2026-28838
- CVE-2026-28886
- CVE-2026-28888
- CVE-2025-14524
- CVE-2026-20633
- CVE-2026-28876
- CVE-2026-28892
- CVE-2026-28832
- CVE-2026-28834
- CVE-2026-28880
- CVE-2025-64505
- CVE-2026-28868
- CVE-2026-28867
- CVE-2026-20695
- CVE-2026-20687
- CVE-2026-28829
- CVE-2026-20607
- CVE-2026-20692
- CVE-2026-28891
- CVE-2026-20701
- CVE-2026-28839
- CVE-2026-28827
- CVE-2026-28816
- CVE-2026-28826
- CVE-2026-20693
- CVE-2026-28862
- CVE-2026-28831
- CVE-2026-28817
- CVE-2026-20688
- CVE-2026-28864
- CVE-2026-28860
- CVE-2026-28835
- CVE-2026-28825
- CVE-2026-28818
- CVE-2026-20697
- CVE-2026-28828
- CVE-2026-28852
- CVE-2026-20657
- CVE-2026-28878