Apple Patches Critical Security Flaws

- The symbolic link vulnerability, CVE-2026-20677, stems from a race condition that was resolved with improved handling of symbolic links. This flaw could allow a malicious shortcut to bypass sandbox restrictions. - A CVSS score of 9.0, as assigned to CVE-2026-20677, falls into the "Critical" severity range (9.0-10.0), indicating a high level of risk that often requires immediate attention. The high score for this vulnerability is attributed to its potential for remote exploitation without user interaction or required privileges. - The patches address this vulnerability in macOS Tahoe 26.3, macOS Sonoma 14.8.4, iOS 18.7.5, iPadOS 18.7.5, and visionOS 26.3. - The separate bug fixed across Apple's OS lineup, identified as CVE-2026-20700, was a memory corruption issue in dyld, Apple's dynamic link editor. This vulnerability has been actively exploited in what Apple describes as "extremely sophisticated attacks" against specific individuals. - Google's Threat Analysis Group (TAG) is credited with discovering and reporting the actively exploited CVE-2026-20700 flaw. This vulnerability was used as part of an exploit chain with two other vulnerabilities, CVE-2025-14174 and CVE-2025-43529, which were patched in December 2025. - The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-20700 to its Known Exploited Vulnerabilities (KEV) catalog, mandating that federal agencies apply the necessary patches by March 5, 2026. - Symbolic link vulnerabilities, in general, can be used to trick privileged processes into redirecting file operations, allowing an attacker to write to or create files outside of the intended sandboxed directory. This can lead to a complete sandbox escape and arbitrary code execution. - This series of patches is part of a larger update that addressed 71 distinct vulnerabilities across Apple's operating systems.