Multiple vulnerabilities have been discovered in Apple products, the most severe of which could allow for privilege escalation. Details of the vulnerabilities are as follows:
Tactic: Execution (TA0002):
Technique: Exploitation for Client Execution (T1203):
* A user may be able to elevate privileges. (CVE-2026-20631)
* A remote user may be able to write arbitrary files. (CVE-2026-20660)
* An app may be able to read arbitrary files as root. (CVE-2026-28889)
* An app may be able to access sensitive user data. (CVE-2026-28877, CVE-2026-28876, CVE-2026-28870, CVE-2026-28824, CVE-2026-28866, CVE-2026-20668, CVE-2026-28839, CVE-2026-28831, CVE-2026-28818, CVE-2026-20697, CVE-2026-28828, CVE-2026-20651, CVE-2026-28881, CVE-2026-20632, CVE-2026-28820, CVE-2026-28837)
* An issue existed in curl which may result in unintentionally sending sensitive information via an incorrect connection. (CVE-2025-14524)
* An app may be able to leak sensitive kernel state. (CVE-2026-28867)
* An app may be able to modify protected parts of the file system. (CVE-2026-28892, CVE-2026-28829, CVE-2026-28825)
* An app may be able to gain elevated privileges. (CVE-2026-28821)
* An app may be able to gain root privileges. (CVE-2026-28888)
* An app may be able to determine kernel memory layout. (CVE-2026-20695)
* An app may be able to access protected user data. (CVE-2026-20607, CVE-2026-28845)
Additional lower severity vulnerabilities include:
* An app may be able to cause unexpected system termination. (CVE-2026-28890, CVE-2026-20637, CVE-2026-28834)
* Processing maliciously crafted web content may prevent Content Security Policy from being enforced. (CVE-2026-20665)
* Processing maliciously crafted web content may bypass Same Origin Policy. (CVE-2026-20643)
* Visiting a maliciously crafted website may lead to a cross-site scripting attack. (CVE-2026-28871)
* Processing maliciously crafted web content may lead to an unexpected process crash. (CVE-2026-20664, CVE-2026-28857, CVE-2026-28879)
* A malicious website may be able to access script message handlers intended for other origins. (CVE-2026-28861)
* A malicious website may be able to process restricted web content outside the sandbox. (CVE-2026-28859)
* A maliciously crafted webpage may be able to fingerprint the user. (CVE-2026-20691)
* An attacker in a privileged network position may be able to intercept network traffic. (CVE-2026-28865)
* An attacker may be able to cause unexpected app termination. (CVE-2026-28822)
* Processing an audio stream in a maliciously crafted media file may terminate the process. (CVE-2026-20690)
* A user in a privileged network position may be able to cause a denial-of-service. (CVE-2026-28886)
* An app may be able to enumerate a user’s installed apps. (CVE-2026-28878, CVE-2026-28880, CVE-2026-28833, CVE-2026-28882)
* Processing a maliciously crafted file may lead to unexpected app termination. (CVE-2025-64505)
* An app may be able to disclose kernel memory. (CVE-2026-28868, CVE-2026-28832)
* An app may be able to cause unexpected system termination or corrupt kernel memory. (CVE-2026-20698)
* An app may be able to break out of its sandbox. (CVE-2026-20688, CVE-2026-28838, CVE-2026-28891, CVE-2026-28827)
* An app may be able to fingerprint the user. (CVE-2026-28863)
* A local attacker may gain access to user’s Keychain items. (CVE-2026-28864)
* An attacker with physical access to a locked device may be able to view sensitive user information. (CVE-2026-28856)
* An app may be able to cause a denial-of-service. (CVE-2026-28852)
* An app may be able to cause unexpected system termination or write kernel memory. (CVE-2026-20687)
* Multiple issues in Apache. (CVE-2025-55753, CVE-2025-58098, CVE-2025-59775, CVE-2025-65082, CVE-2025-66200)
* An app may be able to access user-sensitive data. (CVE-2026-20699, CVE-2026-20633, CVE-2026-20694, CVE-2026-28862)
* A remote attacker may be able to cause a denial-of-service. (CVE-2026-28894, CVE-2026-28875)
* Processing a maliciously crafted string may lead to heap corruption. (CVE-2026-20639)
* “Hide IP Address” and “Block All Remote Content” may not apply to all mail content. (CVE-2026-20692)
* An app may be able to connect to a network share without user consent. (CVE-2026-20701)
* An app may be able to delete files for which it does not have permission. (CVE-2026-28816)
* An attacker with root privileges may be able to delete protected system files. (CVE-2026-20693)
* A sandboxed process may be able to circumvent sandbox restrictions. (CVE-2026-28817)
* Mounting a maliciously crafted SMB network share may lead to system termination. (CVE-2026-28835)
* Parsing a maliciously crafted file may lead to an unexpected app termination. (CVE-2026-20657)
* An app with root privileges may be able to delete protected system files. (CVE-2026-28823)
* An app may bypass Gatekeeper checks. (CVE-2026-20684)
* A document may be written to a temporary file when using print preview. (CVE-2026-28893)
* A buffer overflow may result in memory corruption and unexpected app termination. (CVE-2026-28842, CVE-2026-28841)
* A malicious app may be able to break out of its sandbox. (CVE-2026-28826)
* An attacker may gain access to protected parts of the file system. (CVE-2026-28844)
* A user with physical access to an iOS device may be able to bypass Activation Lock. (CVE-2025-43534)
* A remote attacker may be able to view leaked DNS queries with Private Relay turned on. (CVE-2025-43376)
* An attacker with physical access to an iOS device with Stolen Device Protection enabled may be able to access biometrics-gated Protected Apps with the passcode. (CVE-2026-28895)
* A remote attacker may cause an unexpected app termination. (CVE-2026-28874)
* A remote user may be able to cause unexpected system termination or corrupt kernel memory. (CVE-2026-28858)
Successful exploitation of the most severe of these vulnerabilities could allow a user to elevate privileges. Depending on the privileges associated with the user, they may be able to modify protected system files.
