SB2026021191 - Multiple vulnerabilities in Apple visionOS

Description

This security bulletin contains information about 29 secuirty vulnerabilities.

1) Race condition (CVE-ID: CVE-2026-20677)

The vulnerability allows a local user to bypass implemented security restrictions. 

The vulnerability exists due to a race condition in Messages when handling symbolic links in shortcuts. A local user can bypass sandbox restrictions. 

2) Memory corruption (CVE-ID: CVE-2026-20621)

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists due to a boundary error in Wi-Fi. A local application can cause unexpected system termination or corrupt kernel memory.

3) Buffer overflow (CVE-ID: CVE-2026-20635)

The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists due to a boundary error in WebKit when processing HTML content. A remote attacker can trick the victim into visiting a specially crafted website and crash the browser. 

4) Buffer overflow (CVE-ID: CVE-2026-20636)

The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists due to a boundary error in WebKit when processing HTML content. A remote attacker can trick the victim into visiting a specially crafted website and crash the browser. 

5) Buffer overflow (CVE-ID: CVE-2026-20644)

The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists due to a boundary error in WebKit when processing HTML content. A remote attacker can trick the victim into visiting a specially crafted website and crash the browser. 

6) State Issues (CVE-ID: CVE-2026-20676)

The vulnerability allows a remote attacker to track website users.

The vulnerability exists due to a state issue in WebKit. A remote attacker can track users through Safari web extensions.

7) Buffer overflow (CVE-ID: CVE-2026-20608)

The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists due to a boundary error in WebKit when processing HTML content. A remote attacker can trick the victim into visiting a specially crafted website and crash the browser. 

8) Buffer overflow (CVE-ID: CVE-2026-20652)

The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists due to a boundary error in WebKit when processing HTML content. A remote attacker can trick the victim into visiting a specially crafted website and crash the browser. 

9) Information disclosure (CVE-ID: CVE-2026-20641)

The vulnerability allows a local application to gain access to sensitive information.

The vulnerability exists due to excessive data output by StoreKit. A local application can identify what other apps a user has installed.

10) Improper limitation of a pathname to a restricted directory ('path traversal') (CVE-ID: CVE-2026-20653)

The vulnerability allows a local application to gain access to sensitive information.

The vulnerability exists due to incorrect handling of path names in Shortcuts. A local application can trick the victim into opening a specially crafted file and access sensitive user data.

11) Permissions, privileges, and access controls (CVE-ID: CVE-2026-20628)

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists due to improperly imposed security restrictions in Sandbox. A local application can break out of its sandbox.

12) Out-of-bounds write (CVE-ID: CVE-2026-20616)

The vulnerability allows a local application to perform a denial of service (DoS) attack.

The vulnerability exists due to an out-of-bounds write in Model I/O. A local application can trick the victim into opening a specially crafted file and perform unexpected app termination.

13) Resource exhaustion (CVE-ID: CVE-2025-59375)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can trigger large dynamic memory allocations via a small document and perform a denial of service (DoS) attack.

14) Improper limitation of a pathname to a restricted directory ('path traversal') (CVE-ID: CVE-2026-20625)

The vulnerability allows a local application to gain access to sensitive information.

The vulnerability exists due to incorrect handling of path names in AppleMobileFileIntegrity. A local application can trick the victim into opening a specially crafted file and access sensitive user data.

15) Improper input validation (CVE-ID: CVE-2026-20627)

The vulnerability allows a local application to gain access to sensitive information.

The vulnerability exists due to insufficient input validation in CoreServices. A local application can access sensitive user data.

16) Input validation error (CVE-ID: CVE-2026-20650)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input in Bluetooth. A remote attacker in a privileged network position can send specially crafted Bluetooth packets to the system and perform a denial of service (DoS) attack.

17) Improper limitation of a pathname to a restricted directory ('path traversal') (CVE-ID: CVE-2026-20660)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to incorrect handling of path names in CFNetwork. A local user can trick the victim into opening a specially crafted file and write arbitrary files.

18) Memory corruption (CVE-ID: CVE-2026-20611)

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists due to a boundary error in CoreAudio. A local application can trick the victim into opening a specially crafted file and perform unexpected app termination or corrupt process memory.

19) Memory corruption (CVE-ID: CVE-2026-20609)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error in CoreMedia. A remote attacker can trick the victim into opening a specially crafted file and perform a denial-of-service or potentially disclose memory contents.

20) State issues (CVE-ID: CVE-2026-20617)

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists due to a state management issue in CoreServices. A local application can gain root privileges.

21) Improper limitation of a pathname to a restricted directory ('path traversal') (CVE-ID: CVE-2026-20615)

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists due to incorrect handling of path names in CoreServices. A local application can gain root privileges.

22) Out-of-bounds write (CVE-ID: CVE-2025-14174)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error in ANGLE. A remote attacker can trick the victim into visiting a specially crafted website, trigger an out-of-bounds write and execute arbitrary code on the target system.

Note, the vulnerability is being actively exploited in the wild.

23) Man-in-the-Middle (MitM) attack (CVE-ID: CVE-2026-20671)

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to a logic issue in the OS kernel. A remote attacker on the local network can intercept network traffic. 

24) Use-after-free (CVE-ID: CVE-2025-43529)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error when processing HTML content. A remote attacker can trick the victim into visiting a specially crafted website, trigger a use-after-free error and execute arbitrary code on the system.

Note, the vulnerability is being actively exploited in the wild. 

25) Buffer overflow (CVE-ID: CVE-2026-20700)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a boundary error in dyld. A local user can trigger memory corruption and execute arbitrary code on the target system.

Note, the vulnerability is being actively exploited in the wild in conjunction with vulnerabilities #VU119833 (CVE-2025-14174) and #VU119902 (CVE-2025-43529). 

26) Memory corruption (CVE-ID: CVE-2026-20675)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to a boundary error in ImageIO. A local user can trick the victim into opening a specially crafted file and perform disclosure of user information.

27) Memory corruption (CVE-ID: CVE-2026-20634)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to a boundary error in ImageIO. A remote attacker can trick the victim into opening a specially crafted file and gain access to sensitive information.

28) Memory corruption (CVE-ID: CVE-2026-20654)

The vulnerability allows a local application to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error in Kernel. A local application can cause unexpected system termination.

29) Improper access control (CVE-ID: CVE-2026-20626)

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists due to improper access restrictions in Kernel. A local application can gain root privileges.

Remediation

Install update from vendor's website.

References

• https://support.apple.com/en-us/126353