CVE-2026-20637 - Vulnerability Details

Description

A use after free issue was addressed with improved memory management. This issue is fixed in iOS 18.7.7 and iPadOS 18.7.7, iOS 26.3 and iPadOS 26.3, macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.3, tvOS 26.3, visionOS 26.3, watchOS 26.3. An app may be able to cause unexpected system termination.

Published: 2026-03-25

Score: 6.2 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A use after free flaw was discovered in Apple operating systems, targeting memory management to let an application trigger unexpected system termination. This weakness falls under CWE‑416: Use After Free. The defect allows a malicious or buggy app to cause a crash, potentially disrupting service availability. No further exploitation such as unauthorized code execution is documented in the source description.

Affected Systems

Apple’s iOS, iPadOS, macOS, tvOS, visionOS, and watchOS are impacted. The flaw is fixed in iOS 18.7.7 and iPadOS 18.7.7; macOS Sequoia 15.7.5 and macOS Sonoma 14.8.5; and tvOS, visionOS, and watchOS all receive remediation in version 26.3. These releases address the memory‑safety issue that previously allowed the crash.

Risk and Exploitability

The CVSS score of 6.2 indicates moderate severity; an EPSS below 1% suggests low current exploit prevalence; and the vulnerability is not listed in the CISA KEV catalog. Attackers would need to run or entice the execution of a vulnerable application on the device, making local or potentially remote application‑based attacks the plausible threat vector. The result of successful exploitation is a loss of availability, with no evidence of further confidentiality or integrity impact.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Apple

iOS and iPadOS

affected

Version	Status	Constraints
`0`	affected	< 18.7.7
`0`	affected	< 26.3

Apple

macOS

affected

Version	Status	Constraints
`0`	affected	< 14.8.5
`0`	affected	< 15.7.5
`0`	affected	< 26.3

Apple

tvOS

affected

Version	Status	Constraints
`0`	affected	< 26.3

Apple

visionOS

affected

Version	Status	Constraints
`0`	affected	< 26.3

Apple

watchOS

affected

Version	Status	Constraints
`0`	affected	< 26.3

Configuration 1 [-]

OR	cpe:2.3:o:apple:ipados::::::::
	cpe:2.3:o:apple:ipados::::::::
	cpe:2.3:o:apple:iphone_os::::::::
	cpe:2.3:o:apple:iphone_os::::::::
	cpe:2.3:o:apple:macos::::::::
	cpe:2.3:o:apple:macos::::::::
	cpe:2.3:o:apple:macos::::::::
	cpe:2.3:o:apple:tvos::::::::
	cpe:2.3:o:apple:visionos::::::::
	cpe:2.3:o:apple:watchos::::::::

No data.

Vendor Product Confidence Versions

Apple

Ios And Ipados

100%

Version	Status	Scheme	Platform
`[0,18.7.7)`	affected	semver	—
`[0,26.3)`	affected	generic	—

Apple

Macos

100%

Version	Status	Scheme	Platform
`[0,14.8.5)`	affected	semver	—
`[0,15.7.5)`	affected	semver	—
`[0,26.3)`	affected	generic	—

Apple

Tvos

100%

Version	Status	Scheme	Platform
`[0,26.3)`	affected	generic	—

Apple

Visionos

100%

Version	Status	Scheme	Platform
`[0,26.3)`	affected	generic	—

Apple

Watchos

100%

Version	Status	Scheme	Platform
`[0,26.3)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade iOS to 18.7.7 or later or to iPadOS 18.7.7 or later
Update macOS to Sequoia 15.7.5 or Sonoma 14.8.5 or to the latest version
Update tvOS, visionOS, and watchOS to version 26.3 or later
Verify that all installed applications are from trusted sources and are not known to trigger application crashes

Generated by OpenCVE AI on March 25, 2026 at 19:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00015.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://support.apple.com/en-us/126346
https://support.apple.com/en-us/126348
https://support.apple.com/en-us/126351
https://support.apple.com/en-us/126352
https://support.apple.com/en-us/126353
https://support.apple.com/en-us/126793
https://support.apple.com/en-us/126795
https://support.apple.com/en-us/126796

History

Wed, 25 Mar 2026 18:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apple ipados Apple iphone Os
CPEs		cpe:2.3:o:apple:ipados:::::::: cpe:2.3:o:apple:iphone_os:::::::: cpe:2.3:o:apple:macos:::::::: cpe:2.3:o:apple:tvos:::::::: cpe:2.3:o:apple:visionos:::::::: cpe:2.3:o:apple:watchos::::::::
Vendors & Products		Apple ipados Apple iphone Os

Wed, 25 Mar 2026 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 25 Mar 2026 16:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416
Metrics		cvssV3_1 `{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Wed, 25 Mar 2026 12:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apple Apple ios And Ipados Apple macos Apple tvos Apple visionos Apple watchos
Vendors & Products		Apple Apple ios And Ipados Apple macos Apple tvos Apple visionos Apple watchos

Wed, 25 Mar 2026 01:00:00 +0000

Type	Values Removed	Values Added
Description		A use after free issue was addressed with improved memory management. This issue is fixed in iOS 18.7.7 and iPadOS 18.7.7, iOS 26.3 and iPadOS 26.3, macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.3, tvOS 26.3, visionOS 26.3, watchOS 26.3. An app may be able to cause unexpected system termination.
References		https://support.apple.com/en-us/126346 https://support.apple.com/en-us/126348 https://support.apple.com/en-us/126351 https://support.apple.com/en-us/126352 https://support.apple.com/en-us/126353 https://support.apple.com/en-us/126793 https://support.apple.com/en-us/126795 https://support.apple.com/en-us/126796

Subscriptions

Apple Ios And Ipados Ipados Iphone Os Macos Tvos Visionos Watchos

MITRE

Status: PUBLISHED

Assigner: apple

Published: 2026-03-25T00:32:10.184Z

Updated: 2026-04-02T18:16:34.748Z

Reserved: 2025-11-11T14:43:07.861Z

Link: CVE-2026-20637

Vulnrichment

Updated: 2026-03-25T15:48:34.410Z

NVD

Status : Analyzed

Published: 2026-03-25T01:17:04.310

Modified: 2026-03-25T20:51:47.927

Link: CVE-2026-20637

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-25T20:56:18Z

Weaknesses

CWE-416

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object