CVE-2026-20687

HIGH

iOS and iPadOS < 18.7.7 - Use-After-Free

Title source: llm

Exploitation Summary

EIP tracks 5 public exploits for CVE-2026-20687. PoCs published by zeroxjf, adminlove520, XZ1r0.

AI-analyzed exploit summary This repository contains a functional proof-of-concept exploit for CVE-2026-20687, a use-after-free vulnerability in AppleSEPKeyStore. The exploit triggers a kernel panic by racing IOConnectCallMethod and IOServiceClose operations, demonstrating the vulnerability in iOS and macOS versions 26.1-26.2.

Description

A use after free issue was addressed with improved memory management. This issue is fixed in iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Sequoia 15.7.5, macOS Tahoe 26.4, tvOS 26.4, watchOS 26.4. An app may be able to cause unexpected system termination or write kernel memory.

Exploits (5)

nomisec WORKING POC 30 stars

by zeroxjf · poc

https://github.com/zeroxjf/CVE-2026-20687-AppleSEPKeyStore-UAF

View Code ZIP pw:eip

This repository contains a functional proof-of-concept exploit for CVE-2026-20687, a use-after-free vulnerability in AppleSEPKeyStore. The exploit triggers a kernel panic by racing IOConnectCallMethod and IOServiceClose operations, demonstrating the vulnerability in iOS and macOS versions 26.1-26.2.

Classification

Working Poc 95%

Attack Type

Dos

Complexity

Moderate

Reliability

Racy

Target: AppleSEPKeyStore (com.apple.driver.AppleSEPKeyStore) on iOS/macOS 26.1-26.2

No auth needed

Prerequisites: Access to a vulnerable iOS/macOS device running versions 26.1-26.2

MITRE ATT&CK

T1499 - Endpoint Denial of Service

devstral-2 · analyzed Mar 25, 2026 Full analysis →

nomisec WRITEUP 14 stars

by zeroxjf · poc

https://github.com/zeroxjf/CVE-2026-20687-AppleJPEGDriver-UAF

View Code ZIP pw:eip

This repository provides a detailed technical analysis of CVE-2026-20687, a use-after-free (UAF) vulnerability in Apple's JPEG driver. It includes a step-by-step explanation of the trigger mechanism, code snippets illustrating the UAF condition, and instructions for reproducing the kernel panic.

Classification

Writeup 95%

Attack Type

Dos

Complexity

Moderate

Reliability

Reliable

Target: Apple iOS 26.3 (23D125) on iPhone18,2 (iPhone 17 Pro Max, A19 Pro)

No auth needed

Prerequisites: iOS device running iOS 26.3 · Xcode for building the PoC

MITRE ATT&CK

T1499 - Endpoint Denial of Service

devstral-2 · analyzed Apr 09, 2026 Full analysis →

github WRITEUP 3 stars

by adminlove520 · pythonpoc

https://github.com/adminlove520/CVE-Poc_All_in_One/tree/main/2026/CVE-2026-20687

View Code ZIP pw:eip

Technical analysis of CVE-2026-20687, a use-after-free (UAF) vulnerability in AppleJPEGDriver's startDecoder() function, leading to a deferred kernel panic. The writeup includes a detailed explanation of the trigger mechanism, code snippets, and steps to reproduce the issue.

Classification

Writeup 95%

Attack Type

Dos

Complexity

Moderate

Reliability

Reliable

Target: Apple iOS 26.3 (23D125) on iPhone18,2 (iPhone 17 Pro Max, A19 Pro)

No auth needed

Prerequisites: iOS device running iOS 26.3 · Xcode for building the PoC

MITRE ATT&CK

T1499 - Endpoint Denial of Service

devstral-2 · analyzed May 03, 2026 Full analysis →

github WORKING POC

by XZ1r0 · pythonpoc

https://github.com/XZ1r0/cve-2026-poc-collection/tree/main/linux/CVE-2026-20687-AppleJPEGDriver-UAF

View Code ZIP pw:eip

This repository contains a functional PoC for CVE-2026-20687, a use-after-free (UAF) vulnerability in the AppleJPEGDriver kernel extension affecting iOS/macOS. The exploit primes the driver with async requests, then triggers a deferred kernel panic via the Camera app, demonstrating the UAF condition.

Classification

Working Poc 95%

Attack Type

Dos

Complexity

Moderate

Reliability

Reliable

Target: AppleJPEGDriver (iOS 26.3, macOS, A19 Pro)

No auth needed

Prerequisites: iOS device with vulnerable AppleJPEGDriver (e.g., iPhone 17 Pro Max, iOS 26.3)

MITRE ATT&CK

T1499 - Endpoint Denial of Service

devstral-2 · analyzed May 21, 2026 Full analysis →

nomisec WRITEUP

by enfilade-labs · poc

https://github.com/enfilade-labs/CVE-2026-20687-AppleJPEGDriver-UAF

View Code ZIP pw:eip

The repository provides a detailed technical analysis of CVE-2026-20687, a use-after-free (UAF) vulnerability in Apple's `AppleJPEGDriver` kernel component. It explains the root cause, trigger conditions, and includes a high-level proof-of-concept code snippet demonstrating the UAF scenario.

Classification

Writeup 95%

Attack Type

Dos

Complexity

Moderate

Reliability

Reliable

Target: Apple iOS 26.3 (AppleJPEGDriver)

No auth needed

Prerequisites: Physical iOS device (iPhone 17 Pro Max, A19 Pro) · Xcode for building the PoC app

MITRE ATT&CK

T1499 - Endpoint Denial of Service

devstral-2 · analyzed Apr 23, 2026 Full analysis →

References (6)

Core 6

Core References

https://support.apple.com/en-us/126792

https://support.apple.com/en-us/126793

https://support.apple.com/en-us/126794

https://support.apple.com/en-us/126795

https://support.apple.com/en-us/126797

https://support.apple.com/en-us/126798

Scores

CVSS v3 7.1

EPSS 0.0001

EPSS Percentile 0.3%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-416

Status published

Products (11)

Apple/iOS and iPadOS < 18.7.7

Apple/iOS and iPadOS < 26.4

apple/ipados < 18.7.7

apple/iphone_os < 18.7.7

Apple/macOS < 15.7.5

Apple/macOS < 26.4

apple/macos 15.0 - 15.7.5

Apple/tvOS < 26.4

apple/tvos < 26.4

Apple/watchOS < 26.4

... and 1 more

Published Mar 25, 2026

Tracked Since Mar 25, 2026