{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-20639", "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "state": "PUBLISHED", "assignerShortName": "apple", "dateReserved": "2025-11-11T14:43:07.861Z", "datePublished": "2026-03-25T00:32:30.351Z", "dateUpdated": "2026-03-25T19:46:03.898Z"}, "containers": {"cna": {"problemTypes": [{"descriptions": [{"lang": "en", "description": "Processing a maliciously crafted string may lead to heap corruption"}]}], "affected": [{"vendor": "Apple", "product": "macOS", "versions": [{"version": "0", "status": "affected", "lessThan": "14.8.5", "versionType": "custom"}, {"version": "0", "status": "affected", "lessThan": "15.7.5", "versionType": "custom"}, {"version": "0", "status": "affected", "lessThan": "26.3", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "An integer overflow was addressed with improved input validation. This issue is fixed in macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.3. Processing a maliciously crafted string may lead to heap corruption."}], "references": [{"url": "https://support.apple.com/en-us/126348"}, {"url": "https://support.apple.com/en-us/126795"}, {"url": "https://support.apple.com/en-us/126796"}], "providerMetadata": {"orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "shortName": "apple", "dateUpdated": "2026-03-25T00:32:30.351Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-190", "lang": "en", "description": "CWE-190 Integer Overflow or Wraparound"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T19:45:29.801131Z", "id": "CVE-2026-20639", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T19:46:03.898Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-20639", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T19:45:29.801131Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-190", "description": "CWE-190 Integer Overflow or Wraparound"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T19:45:59.400Z"}}], "cna": {"affected": [{"vendor": "Apple", "product": "macOS", "versions": [{"status": "affected", "version": "0", "lessThan": "14.8.5", "versionType": "custom"}, {"status": "affected", "version": "0", "lessThan": "15.7.5", "versionType": "custom"}, {"status": "affected", "version": "0", "lessThan": "26.3", "versionType": "custom"}]}], "references": [{"url": "https://support.apple.com/en-us/126348"}, {"url": "https://support.apple.com/en-us/126795"}, {"url": "https://support.apple.com/en-us/126796"}], "descriptions": [{"lang": "en", "value": "An integer overflow was addressed with improved input validation. This issue is fixed in macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.3. Processing a maliciously crafted string may lead to heap corruption."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Processing a maliciously crafted string may lead to heap corruption"}]}], "providerMetadata": {"orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "shortName": "apple", "dateUpdated": "2026-03-25T00:32:30.351Z"}}}, "cveMetadata": {"cveId": "CVE-2026-20639", "state": "PUBLISHED", "dateUpdated": "2026-03-25T19:46:03.898Z", "dateReserved": "2025-11-11T14:43:07.861Z", "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "datePublished": "2026-03-25T00:32:30.351Z", "assignerShortName": "apple"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*", "matchCriteriaId": "D66288AF-23BD-407A-81F5-F1DFBF84C622", "versionEndExcluding": "14.8.5", "versionStartIncluding": "14.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*", "matchCriteriaId": "DD21D2C9-BBEC-4E8E-B8D2-C92B7E6155E1", "versionEndExcluding": "15.7.5", "versionStartIncluding": "15.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*", "matchCriteriaId": "0488A377-7971-4703-8823-05BF1E23CF48", "versionEndExcluding": "26.3", "versionStartIncluding": "26.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An integer overflow was addressed with improved input validation. This issue is fixed in macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.3. Processing a maliciously crafted string may lead to heap corruption."}], "id": "CVE-2026-20639", "lastModified": "2026-03-25T21:32:57.330", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T01:17:04.443", "references": [{"source": "product-security@apple.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://support.apple.com/en-us/126348"}, {"source": "product-security@apple.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://support.apple.com/en-us/126795"}, {"source": "product-security@apple.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://support.apple.com/en-us/126796"}], "sourceIdentifier": "product-security@apple.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-190"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,14.8.5)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,15.7.5)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,26.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "macOS", "source": "cna", "vendor": "Apple"}, "product": "macos", "vendor": "apple"}], "analysis": {"en": {"generated_at": "2026-03-26T02:37:42.362121+00:00", "value": {"mitigation_remediation": ["Update macOS to the latest version (Sequoia\u202f15.7.5, Sonoma\u202f14.8.5, or Tahoe\u202f26.3)", "Verify the installed macOS version using the system information tool", "Apply any additional vendor\u2011issued patches promptly", "Monitor system logs for signs of instability or memory corruption"], "summary": {"action": "Patch", "impact": "Heap corruption via integer overflow"}, "threat_synthesis": {"affected_systems": "Apple macOS is affected. Versions older than macOS Sequoia\u202f15.7.5, macOS Sonoma\u202f14.8.5, and macOS Tahoe\u202f26.3 are vulnerable. These releases have incorporated the necessary input validation fixes.", "description_and_impact": "An integer overflow can occur when processing a maliciously crafted string, resulting in heap corruption. This bug was mitigated with improved input validation, but prior to the fix it could disrupt memory integrity during string handling operations.", "risk_and_exploitability": "The CVSS score of 7.5 denotes high severity; EPSS is below 1%, indicating a low likelihood of exploitation, and the vulnerability is not included in the CISA KEV catalog. The attack vector is not explicitly specified in the data, but it is inferred that an attacker would need to deliver a maliciously crafted string to a component that processes such input, potentially through local or network\u2011exposed interfaces."}}}}, "created": "2026-03-25T11:36:19.564073+00:00", "updated": "2026-03-26T12:17:56.537723+00:00", "vendors": ["apple", "apple$PRODUCT$macos"]}