CVE-2026-20675 is a vulnerability identified in Apple’s iOS and iPadOS platforms, as well as other Apple operating systems such as macOS, tvOS, visionOS, and watchOS. The root cause is an out-of-bounds read (CWE-125) during the processing of specially crafted image files. When a vulnerable system processes such a malicious image, it may read memory outside the intended buffer boundaries, leading to unauthorized disclosure of user information. This could include sensitive personal data or system information residing in memory. The vulnerability requires user interaction, such as opening or previewing a malicious image, but does not require any prior authentication or elevated privileges, making it accessible to remote attackers who can deliver the image via email, messaging apps, or web content. The CVSS v3.1 base score of 7.8 reflects the high impact on confidentiality, integrity, and availability, combined with low attack complexity and no privileges required. Apple has released patches in iOS 18.7.5, iPadOS 18.7.5, macOS Sequoia 15.7.4, and other platform updates to fix the issue by implementing improved bounds checking to prevent out-of-bounds memory access. Although no active exploits have been reported, the vulnerability poses a significant risk due to the widespread use of Apple devices and the ease of exploitation through common user actions.

The vulnerability can lead to unauthorized disclosure of sensitive user information, potentially including personal data, credentials, or system memory contents. This compromises confidentiality and may also affect integrity and availability if the memory corruption leads to crashes or system instability. Organizations relying on Apple devices for communication, data processing, or critical operations face risks of data leakage and privacy violations. Attackers could leverage this vulnerability to gather intelligence, conduct targeted attacks, or escalate privileges by combining it with other exploits. The requirement for user interaction means phishing or social engineering could be used to deliver the malicious image. The broad range of affected Apple platforms increases the attack surface, impacting mobile users, desktop users, and IoT device users alike. Failure to patch could result in data breaches, regulatory non-compliance, and reputational damage.

Organizations and users should immediately apply the security updates released by Apple for iOS 18.7.5, iPadOS 18.7.5, macOS Sequoia 15.7.4, and corresponding versions for other affected platforms. Beyond patching, implement strict email and messaging filtering to detect and block suspicious image files. Educate users to avoid opening images from untrusted or unknown sources. Employ endpoint protection solutions capable of detecting anomalous behavior related to image processing. Consider disabling automatic image previews in messaging and mail clients to reduce the risk of inadvertent exploitation. Monitor network traffic for unusual activity that could indicate exploitation attempts. Maintain regular backups and incident response plans to quickly recover from potential breaches. For enterprises, enforce mobile device management (MDM) policies to ensure devices remain updated and compliant.