CVE-2026-20677
EUVD-2026-623311.02.2026, 23:16
A race condition was addressed with improved handling of symbolic links. This issue is fixed in macOS Tahoe 26.3, macOS Sonoma 14.8.4, iOS 18.7.5 and iPadOS 18.7.5, visionOS 26.3, iOS 26.3 and iPadOS 26.3. A shortcut may be able to bypass sandbox restrictions.
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| apple | ipados | 𝑥 < 18.7.5 |
| apple | ipados | 26.0 ≤ 𝑥 < 26.3 |
| apple | iphone_os | 𝑥 < 18.7.5 |
| apple | iphone_os | 26.0 ≤ 𝑥 < 26.3 |
| apple | macos | 𝑥 < 14.8.4 |
| apple | macos | 26.0 ≤ 𝑥 < 26.3 |
| apple | visionos | 𝑥 < 26.3 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')The program contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.
- CWE-367 - Time-of-check Time-of-use (TOCTOU) Race ConditionThe software checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the software to perform invalid actions when the resource is in an unexpected state.