CVE-2026-20694
EUVD-2026-1506825.03.2026, 01:17
This issue was addressed with improved handling of symlinks. This issue is fixed in iOS 26.3 and iPadOS 26.3, macOS Sequoia 15.7.4, macOS Sequoia 15.7.5, macOS Sonoma 14.8.4, macOS Sonoma 14.8.5, macOS Tahoe 26.3, macOS Tahoe 26.4. An app may be able to access user-sensitive data.
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| apple | ipados | 𝑥 < 26.3 |
| apple | iphone_os | 𝑥 < 26.3 |
| apple | macos | 14.0 ≤ 𝑥 < 14.8.4 |
| apple | macos | 15.0 ≤ 𝑥 < 15.7.4 |
| apple | macos | 26.0 ≤ 𝑥 < 26.3 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-59 - Improper Link Resolution Before File Access ('Link Following')The software attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
- CWE-61 - UNIX Symbolic Link (Symlink) FollowingThe software, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the software to operate on unauthorized files.