CVE-2026-20668: Use After Free
Published Feb 11, 2026
·Updated
802.1X. An authentication issue was addressed with improved state management.
Other sources
A logging issue was addressed with improved data redaction. This issue is fixed in iOS 18.7.7 and iPadOS 18.7.7, iOS 26.3 and iPadOS 26.3, macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.3, visionOS 26.3. An app may be able to access sensitive user data.
— MITRE
Accessibility. A privacy issue was addressed by removing sensitive data.
— Apple
Accessibility. An inconsistent user interface issue was addressed with improved state management.
— Apple
Accounts. An authorization issue was addressed with improved state management.
— Apple
Admin Framework. A parsing issue in the handling of directory paths was addressed with improved path validation.
— Apple
Credit
Wong Wee Xiang, Loh Boon Keat, Jacob Prezant (prezant.us), Johnny Franks (zeroxjf), an anonymous researcher, jioundai, Nils Hanff @chaos.social)@@nils1729(Hasso Plattner Institute), Amy (amys.website), Atul Kishor Jaiswal, Anonymous(Trend Micro Zero Day Initiative), Yiğit Can YILMAZ@@yilmazcanyigit, Golden Helm Securities(Iru), Gergely Kalman@@gergely_kalman(Iru), Csaba Fitzl@@theevilbit(Iru), Gergely Kalman@@gergely_kalman, Google Threat Analysis Group, Kirin@@Pwnrin, Asaf Cohen, George Karchemsky@@gkarchemsky(Trend Micro Zero Day Initiative), Jian Lee@@speedyfriend433, Keisuke Hosoda, Xin'an Zhou, Juefei Pu, Zhutian Liu, Zhiyun Qian, Zhaowei Tan, Srikanth V. Krishnamurthy, Mathy Vanhoef, Zhongcheng Li(IES Red Team), CVE-2025-59375, Richard Hyunho Im at Route Zero Security (routezero.security)@@richeeta, Ron Masas(BreakPoint), Rodolphe Brunetti@@eisw0lf(Lupus Nova), Dalibor Milanovic, Noah Gregory (wts.dev), Óscar García Pérez, Stanislav Jelezoglo, Viktor Lord Härringtón, Enis Maholli (enismaholli.com), Gongyu Ma@@Mezone0, LeminLimez, Nathaniel Oh@@calysteon, HanQing(TSDubhe), Nan Wang@@eternalsakura13, Tom Van Goethem, EntryHi, Wang Yu(Cyberserval), Mickey Jin@@patch1t, Ryan Dowd@@_rdowd, @@cloudlldb, Kirin@@Pwnrin(Fudan University), LFY@@secsys(Fudan University), Murray Mike, Chunyu Song(NorthSea), Michael DePlante@@izobashi(Trend Micro Zero Day Initiative), Pwn2car, Morris Richman@@morrisinlife, Vivek Dhar, ASI (RM) in Border Security Force, FTR HQ BSF Kashmir, Héloïse Gollier, Mathy Vanhoef (KU Leuven), Justin Cohen(Google), Cristian Dinca (icmd.tech), Hossein Lotfi@@hosselot(TrendAI Zero Day Initiative), Etienne Charron (Renault), Victoria Martini (Renault), CVE-2025-14524, Andreas Jaegersberger & Ro Achterberg(Nosebeard Labs), CVE-2025-64505, iG0x72(XiguaSec), JJ(XiguaSec), Lehan Dilusha Jayasinghe, Gor Aleksanyan(BoB 0xB6), Dhiyanesh Selvaraj@@redroot97(BoB 0xB6), 이동하 (Lee Dong Ha(BoB 0xB6), Johnny Franks@@zeroxjf, Alex Radocea, Hazem Issa, Yongdae Kim @ SysSec, KAIST, Caspian Tarafdar, Andrew Becker, webb, Thomas Espach, Mike Cardwell(grepular), Bob Lord, Hongze Wu(Ant Group Infrastructure Security Team), Shuaike Dong(Ant Group Infrastructure Security Team), @@hamayanhamayan, Rosyna Keller(Totally Not Malicious Software), CVE-2025-55753, CVE-2025-58098, CVE-2025-59775, CVE-2025-65082, CVE-2025-66200, Jex Amro, YingQi Shi@@Mas0nShi(DBAppSecurity's WeBin lab), 风沐云烟@@binary_fmyy, Minghao Lin@@Y1nKoc, DARKNAVY@@DarkNavyOrg, hari shanmugam, Sreejith Krishnan R, Himanshu Bharti@@Xpl0itme(Khatima), Matej Moravec@@MacejkoMoravec, Dawuge(Shuffle Team), Hunan University, Kun Peeks@@SwayZGl1tZyyy, Gyujeong Jin at Team.0xb6@@G1uN4sh, wdszzml, Atuin Automated Vulnerability Discovery Engine, Christian Kohlschütter, Dave G., @@pixiepointsec
Affected Software
16 affected componentsFixes available
Apple iOS<18.7.7
18.7.7
Apple iPadOS<18.7.7
18.7.7
Apple macOS Sequoia<15.7.5
15.7.5
Apple macOS Sonoma<14.8.5
14.8.5
Apple iOS<26.3
26.3
Apple iPadOS<26.3
26.3
Apple macOS Tahoe<26.3
26.3
Apple visionOS<26.3
26.3
Apple iPadOS<18.7.7
Apple iPadOS>=26.0<26.3
Apple iPhone OS<18.7.7
Apple iPhone OS>=26.0<26.3
Apple macOS<14.8.5
Apple macOS>=15.0<15.7.5
Apple macOS>=26.0<26.3
Apple visionOS<26.3
Event History
Feb 11, 2026
Data Sourced
via Apple·12:00 AM
DescriptionWeaknessAffected Software
Updated
via Apple·12:00 AM
Description
Updated
via Apple·12:00 AM
DescriptionWeakness
Updated
via Apple·12:00 AM
DescriptionWeaknessAffected Software
Mar 24, 2026
Updated
via Apple·12:00 AM
DescriptionWeaknessAffected Software
Mar 25, 2026
CVE Published
via MITRE·12:35 AM
Data Sourced
via MITRE·12:35 AM
DescriptionWeakness
Data Sourced
via NVD·01:17 AM
DescriptionSeverityWeaknessAffected Software
May 12, 2026
Updated
via Apple·06:36 PM
DescriptionWeaknessAffected Software
Parent advisories
This vulnerability appears in the following advisories.
Peer vulnerabilities
Found alongside the following vulnerabilities.
- CVE-2026-20645
- CVE-2026-20674
- CVE-2026-20637
- CVE-2026-20650
- CVE-2026-20638
- CVE-2026-20660
- CVE-2026-20686
- CVE-2026-20611
- CVE-2026-20609
- CVE-2026-20617
- CVE-2026-20615
- CVE-2026-20627
- CVE-2025-14174
- CVE-2025-43529
- CVE-2026-20700
- CVE-2026-20668
- CVE-2026-20649
- CVE-2026-20675
- CVE-2026-20634
- CVE-2026-20654
- CVE-2026-20626
- CVE-2026-20671
- CVE-2026-20663
- CVE-2025-59375
- CVE-2026-20667
- CVE-2026-20655
- CVE-2026-20677
- CVE-2026-20694
- CVE-2026-20642
- CVE-2026-20628
- CVE-2026-20678
- CVE-2026-28855
- CVE-2026-20682
- CVE-2026-20653
- CVE-2026-20680
- CVE-2026-20641
- CVE-2026-20606
- CVE-2026-20640
- CVE-2026-20661
- CVE-2026-20652
- CVE-2026-20608
- CVE-2026-20676
- CVE-2026-20644
- CVE-2026-20636
- CVE-2026-20635
- CVE-2026-20621
- CVE-2026-20669
- CVE-2026-20670
- CVE-2026-20625
- CVE-2026-20624
- CVE-2026-20639
- CVE-2026-20681
- CVE-2026-20629
- CVE-2026-20601
- CVE-2026-20623
- CVE-2026-20620
- CVE-2026-20630
- CVE-2026-20673
- CVE-2026-20651
- CVE-2026-20616
- CVE-2026-20603
- CVE-2026-20666
- CVE-2026-20614
- CVE-2026-20656
- CVE-2026-20658
- CVE-2026-20610
- CVE-2026-20622
- CVE-2026-20648
- CVE-2026-20662
- CVE-2026-20647
- CVE-2026-20612
- CVE-2026-20699
- CVE-2026-20619
- CVE-2026-20618
- CVE-2026-20605
- CVE-2026-20646
- CVE-2026-20602
- CVE-2026-28865
- CVE-2026-28879
- CVE-2026-28866
- CVE-2026-20690
- CVE-2026-28886
- CVE-2026-28878
- CVE-2025-14524
- CVE-2026-28876
- CVE-2026-28880
- CVE-2025-64505
- CVE-2025-43534
- CVE-2026-28868
- CVE-2026-28867
- CVE-2026-20687
- CVE-2026-28864
- CVE-2026-28860
- CVE-2026-28967
- CVE-2026-28852
- CVE-2026-20657
- CVE-2026-20665
- CVE-2026-20643
- CVE-2025-43376
- CVE-2026-28861
- CVE-2026-28871
- CVE-2026-28877
- CVE-2025-55753
- CVE-2025-58098
- CVE-2025-59775
- CVE-2025-65082
- CVE-2025-66200
- CVE-2026-28824
- CVE-2026-28822
- CVE-2026-28894
- CVE-2026-28821
- CVE-2026-28838
- CVE-2026-28888
- CVE-2026-20633
- CVE-2026-28892
- CVE-2026-28832
- CVE-2026-28834
- CVE-2026-20695
- CVE-2026-28829
- CVE-2026-20607
- CVE-2026-20692
- CVE-2026-28891
- CVE-2026-20701
- CVE-2026-28839
- CVE-2026-28827
- CVE-2026-28816
- CVE-2026-28826
- CVE-2026-20693
- CVE-2026-28862
- CVE-2026-28831
- CVE-2026-28817
- CVE-2026-20688
- CVE-2026-28835
- CVE-2026-28825
- CVE-2026-28818
- CVE-2026-20697
- CVE-2026-28828