CVE-2026-20700
Apple Multiple Buffer Overflow Vulnerability - [Actively Exploited]
Description
A memory corruption issue was addressed with improved state management. This issue is fixed in iOS 26.3 and iPadOS 26.3, macOS Tahoe 26.3, tvOS 26.3, visionOS 26.3, watchOS 26.3. An attacker with memory write capability may be able to execute arbitrary code. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26. CVE-2025-14174 and CVE-2025-43529 were also issued in response to this report.
INFO
Published Date :
Feb. 11, 2026, 11:16 p.m.
Last Modified :
March 25, 2026, 5:39 p.m.
Remotely Exploit :
No
Source :
[email protected]
CISA KEV (Known Exploited Vulnerabilities)
For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.
Apple iOS, macOS, tvOS, watchOS, and visionOS contain an improper restriction of operations within the bounds of a memory buffer vulnerability that could allow an attacker with memory write the capability to execute arbitrary code.
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Unknown
https://support.apple.com/en-us/126346 ; https://support.apple.com/en-us/126348 ; https://support.apple.com/en-us/126351 ; https://support.apple.com/en-us/126352 ; https://support.apple.com/en-us/126353 ; https://nvd.nist.gov/vuln/detail/CVE-2026-20700
Affected Products
The following products are affected by CVE-2026-20700
vulnerability.
Even if cvefeed.io is aware of the exact versions of the
products
that
are
affected, the information is not represented in the table below.
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | HIGH | 134c704f-9b21-4f2e-91b3-4a467353bcc0 |
Solution
- Update watchOS to version 26.3.
- Update tvOS to version 26.3.
- Update macOS to version 26.3.
- Update iOS and iPadOS to version 26.3.
Public PoC/Exploit Available at Github
CVE-2026-20700 has a 14 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2026-20700.
| URL | Resource |
|---|---|
| https://support.apple.com/en-us/126346 | Release Notes Vendor Advisory |
| https://support.apple.com/en-us/126348 | Release Notes Vendor Advisory |
| https://support.apple.com/en-us/126351 | Release Notes Vendor Advisory |
| https://support.apple.com/en-us/126352 | Release Notes Vendor Advisory |
| https://support.apple.com/en-us/126353 | Release Notes Vendor Advisory |
| https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20700 | US Government Resource |
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2026-20700 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2026-20700
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Siri backend infrastructure on EC2 serving bag.xml — assistantd endpoint_update + iTunes master config from the same instance
None
HTML
None
Python
None
None
Python
None
Python
Technical research and forensic documentation of shadow management, persistent OS overlays, and hidden drive exploits
[WORK IN PROGRESS] My analysis of CVE-2026-20700
None
A Semi-jailbreak for iOS 18.0 -18.7.3/26.1>
None
None
Python
CVE-2025-31200 is a zero-day, zero-click RCE in iOS CoreAudio’s AudioConverterService, triggered by a malicious audio file via iMessage/SMS. Exploitation bypassed Blastdoor, enabled kernel escalation (CVE-2025-31201), and allowed token theft until patched in iOS 18.4.1 (Apr 16, 2025).
ios zero-day cve-2025-31200 cve-2025-31201 apple imessage zero-click blastdoor
apple cve list
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-20700 vulnerability anywhere in the article.
-
CybersecurityNews
DarkSword Exploit Chain That Can Hack Millions of iPhones Leaked Online
A powerful iOS exploit toolkit known as DarkSword has been publicly leaked on GitHub, dramatically lowering the barrier for cybercriminals to target hundreds of millions of iPhones and iPads still run ... Read more
-
security.nl
Exploitkit voor het hacken van kwetsbare iPhones gepubliceerd op internet
Een exploitkit voor het hacken van kwetsbare iPhones is gepubliceerd op internet, wat de kans op grootschalig misbruik vergroot. Vorige week waarschuwden Google, Lookout en iVerify voor een exploitkit ... Read more
-
Daily CyberSecurity
Unmasking DarkSword: GTIG Exposes Full-Chain iOS Exploit Used by Global Spies
Timeline of DarkSword observations and vulnerability patches | Image: GTIG In a comprehensive technical disclosure, the Google Threat Intelligence Group (GTIG) has revealed the existence of a highly s ... Read more
-
SentinelOne
The Good, the Bad and the Ugly in Cybersecurity – Week 12
The Good | Operation Synergia III Disrupts Malicious Networks & the EU Sanctions State-Sponsored Attackers Operation Synergia III, an Interpol-led crackdown spanning July 2025 to January 2026, has dis ... Read more
-
Help Net Security
DarkSword: Researchers uncover another iOS exploit kit
A powerful iPhone hacking toolkit dubbed “DarkSword” has been used since November 2025 to compromise devices by exploiting zero-day iOS vulnerabilities, Google researchers have shared. iOS vulnerabili ... Read more
-
The Hacker News
DarkSword iOS Exploit Kit Uses 6 Flaws, 3 Zero-Days for Full Device Takeover
A new exploit kit for Apple iOS devices designed to steal sensitive data from is being wielded by multiple threat actors since at least November 2025, according to reports from Google Threat Intellige ... Read more
-
The Cyber Express
Multiple Threat Actors Exploiting a Six-Vulnerability iOS Exploit Kit Dubbed “DarkSword”
It takes a single page load on a compromised Ukrainian government site, no tap, no download, no warning — and an iPhone running iOS 18.4 through 18.6.2 hands over its messages, photos, passwords, Tele ... Read more
-
The Register
State snoops and spyware vendors planting info-stealing malware on iPhones, Google warns
A new exploit kit targeting iPhone users and stealing their sensitive data is being abused by "multiple" spyware vendors and suspected nation-state goons, security researchers said on Wednesday. The e ... Read more
-
CybersecurityNews
New iOS Exploit With Advanced iPhone Hacking Tools Attacking Users to Steal Personal Data
DarkSword iOS Exploit A sophisticated full-chain iOS exploit kit dubbed DarkSword, actively deployed by multiple commercial surveillance vendors and state-sponsored threat actors since at least Novemb ... Read more
-
security.nl
Onderzoekers ontdekken iOS-exploit gebruikt om iPhones te infecteren
Onderzoekers hebben een iOS-exploit ontdekt die sinds eind vorig jaar door meerdere actoren is gebruikt om iPhones bij gerichte aanvallen met malware te infecteren. Afhankelijk van de betreffende acto ... Read more
-
Google Cloud
The Proliferation of DarkSword: iOS Exploit Chain Adopted by Multiple Threat Actors
Introduction Google Threat Intelligence Group (GTIG) has identified a new iOS full-chain exploit that leveraged multiple zero-day vulnerabilities to fully compromise devices. Based on toolmarks in rec ... Read more
-
The Hacker News
Apple Fixes WebKit Vulnerability Enabling Same-Origin Policy Bypass on iOS and macOS
Apple on Tuesday released its first round of Background Security Improvements to address a security flaw in WebKit that affects iOS, iPadOS, and macOS. The vulnerability, tracked as CVE-2026-20643 (CV ... Read more
-
Daily CyberSecurity
Legacy Under Siege: Apple Pushes Emergency iOS 15.8.7 Update to Thwart ‘Coruna’ Exploit Kit
In a major move to protect users of older hardware, Apple has released critical security updates for iOS 15.8.7 and iPadOS 15.8.7. This emergency response follows a stark warning from Google regarding ... Read more
-
Help Net Security
March 2026 Patch Tuesday forecast: Is AI security an oxymoron?
Developers and analysts are using more AI tools to produce code and to test both the performance and security of the finished products. They are also embedding AI functionality in their products direc ... Read more
-
Daily CyberSecurity
Bypassing the Bouncer: Apache Tomcat Patches SNI & Legacy Protocol Flaws
The Apache Software Foundation has rolled out a trio of security updates for its ubiquitous Apache Tomcat web server environment, addressing vulnerabilities that range from legacy protocol confusion t ... Read more
-
Daily CyberSecurity
The Dev Environment Trap: 128 Million Users at Risk as Top VS Code Extensions Unmask Critical Flaws
Ubiquitous extensions for Visual Studio Code, boasting a cumulative download count exceeding 128 million, have been unmasked as susceptible to exploits involving local file exfiltration and remote cod ... Read more
-
Daily CyberSecurity
PoC Publicly Disclosed: Critical Grandstream VoIP Flaw (CVSS 9.3) Grants Stealthy Root Access
If your office desks are equipped with Grandstream GXP1600 series phones, you might want to pause the hold music and update your firmware immediately. A severe zero-day vulnerability has been uncovere ... Read more
-
Daily CyberSecurity
CVE-2025-65717: Critical Vulnerability in VS Code’s Live Server Extension Puts 72 Million Developers at Risk, No Patch
Attack Flow | Image: OX Security A wildly popular tool designed to make web development easier is currently harboring a massive security blind spot. Researchers at OX Security have unearthed a severe ... Read more
-
Daily CyberSecurity
CI/CD at Risk: High-Severity Jenkins XSS Flaw Exposes Build Environments
Maintainers of Jenkins, the world’s leading open-source automation server, have issued critical security updates to address two vulnerabilities within its core architecture. The advisory highlights a ... Read more
-
Daily CyberSecurity
Urgent Chrome Patch: Google Fixes High-Severity PDF and V8 Engine Flaws
Google has initiated an urgent rollout for the Chrome Stable channel, delivering a crucial update to patch three newly disclosed security vulnerabilities. The update, which brings Chrome to version 14 ... Read more
The following table lists the changes that have been made to the
CVE-2026-20700 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Modified Analysis by [email protected]
Mar. 25, 2026
Action Type Old Value New Value -
CVE Modified by [email protected]
Mar. 25, 2026
Action Type Old Value New Value Changed Description A memory corruption issue was addressed with improved state management. This issue is fixed in watchOS 26.3, tvOS 26.3, macOS Tahoe 26.3, visionOS 26.3, iOS 26.3 and iPadOS 26.3. An attacker with memory write capability may be able to execute arbitrary code. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26. CVE-2025-14174 and CVE-2025-43529 were also issued in response to this report. A memory corruption issue was addressed with improved state management. This issue is fixed in iOS 26.3 and iPadOS 26.3, macOS Tahoe 26.3, tvOS 26.3, visionOS 26.3, watchOS 26.3. An attacker with memory write capability may be able to execute arbitrary code. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26. CVE-2025-14174 and CVE-2025-43529 were also issued in response to this report. -
Modified Analysis by [email protected]
Feb. 13, 2026
Action Type Old Value New Value Added Reference Type CISA-ADP: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20700 Types: US Government Resource -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Feb. 12, 2026
Action Type Old Value New Value Added Reference https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20700 -
Initial Analysis by [email protected]
Feb. 12, 2026
Action Type Old Value New Value Added CPE Configuration OR *cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:* versions up to (excluding) 26.3 *cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:* versions up to (excluding) 26.3 *cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:* versions up to (excluding) 26.3 *cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:* versions up to (excluding) 26.3 *cpe:2.3:o:apple:visionos:*:*:*:*:*:*:*:* versions up to (excluding) 26.3 *cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:* versions up to (excluding) 26.3 Added Reference Type Apple Inc.: https://support.apple.com/en-us/126346 Types: Release Notes, Vendor Advisory Added Reference Type Apple Inc.: https://support.apple.com/en-us/126348 Types: Release Notes, Vendor Advisory Added Reference Type Apple Inc.: https://support.apple.com/en-us/126351 Types: Release Notes, Vendor Advisory Added Reference Type Apple Inc.: https://support.apple.com/en-us/126352 Types: Release Notes, Vendor Advisory Added Reference Type Apple Inc.: https://support.apple.com/en-us/126353 Types: Release Notes, Vendor Advisory -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Feb. 12, 2026
Action Type Old Value New Value Added CVSS V3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Added CWE CWE-119 -
New CVE Received by [email protected]
Feb. 11, 2026
Action Type Old Value New Value Added Description A memory corruption issue was addressed with improved state management. This issue is fixed in watchOS 26.3, tvOS 26.3, macOS Tahoe 26.3, visionOS 26.3, iOS 26.3 and iPadOS 26.3. An attacker with memory write capability may be able to execute arbitrary code. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26. CVE-2025-14174 and CVE-2025-43529 were also issued in response to this report. Added Reference https://support.apple.com/en-us/126346 Added Reference https://support.apple.com/en-us/126348 Added Reference https://support.apple.com/en-us/126351 Added Reference https://support.apple.com/en-us/126352 Added Reference https://support.apple.com/en-us/126353