CVE-2026-20700

HIGH KEV

Apple watchOS <26.3 - Memory Corruption

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2026-20700 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added February 12, 2026. EIP tracks 5 public exploits from researchers including XiaomingX, R3n3r0, bytehazard.

AI-analyzed exploit summary The repository lacks actual exploit code and instead directs users to an external download link (tinyurl.com). The README provides generic details about the vulnerability without technical depth or proof-of-concept code.

Description

A memory corruption issue was addressed with improved state management. This issue is fixed in iOS 26.3 and iPadOS 26.3, macOS Tahoe 26.3, tvOS 26.3, visionOS 26.3, watchOS 26.3. An attacker with memory write capability may be able to execute arbitrary code. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26. CVE-2025-14174 and CVE-2025-43529 were also issued in response to this report.

Exploits (5)

github SUSPICIOUS 10 stars
by XiaomingX · pythonpoc
https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-20700

The repository lacks actual exploit code and instead directs users to an external download link (tinyurl.com). The README provides generic details about the vulnerability without technical depth or proof-of-concept code.

Classification
Suspicious 90%
Attack Type
Other
Complexity
Theoretical
Reliability
Theoretical
Target: Apple iOS, watchOS, tvOS, macOS, visionOS
No auth needed
Prerequisites: ability to manipulate memory
devstral-2 · analyzed Feb 27, 2026 Full analysis →
github WORKING POC 1 stars
by R3n3r0 · pythonlocal
https://github.com/R3n3r0/CVE-2026-20700

This repository contains a functional exploit PoC for CVE-2026-20700, targeting a vulnerability in dyld's chained fixups mechanism on macOS/iOS. The exploit leverages malformed Mach-O dylibs to achieve arbitrary write primitives, demonstrated through multi-threaded stack manipulation and controlled symbol resolution.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Apple dyld (macOS/iOS)
No auth needed
Prerequisites: Apple Silicon device · Ability to load custom Mach-O binaries
devstral-2 · analyzed May 24, 2026 Full analysis →
nomisec SUSPICIOUS 1 stars
by bytehazard · poc
https://github.com/bytehazard/CVE-2026-20700

The repository lacks actual exploit code and instead directs users to an external download link (tinyurl.com). The README provides generic vulnerability details without technical depth or proof-of-concept code.

Classification
Suspicious 95%
Attack Type
Other
Complexity
Theoretical
Reliability
Theoretical
Target: Apple iOS, watchOS, tvOS, macOS, visionOS
No auth needed
Prerequisites: ability to manipulate memory
devstral-2 · analyzed Feb 17, 2026 Full analysis →
github WORKING POC
by notthemystery · cpoc
https://github.com/notthemystery/CVE-2026-20700-POC-that-ll-never-work

This is a functional exploit for CVE-2026-20700 targeting a type confusion vulnerability in IOSurfaceAcceleratorClient::sendCommand() on iOS. It demonstrates kernel read/write capabilities and privilege escalation to spawn a root shell.

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Complex
Reliability
Theoretical
Target: iOS (specific version not specified)
No auth needed
Prerequisites: ASLR disabled · PAC bypass in userland · kernel read/write primitive
devstral-2 · analyzed May 25, 2026 Full analysis →
github WRITEUP
by sundenovak · poc
https://github.com/sundenovak/CVE-2026-20700-An-analysis-WIP

This repository provides a detailed technical analysis of CVE-2026-20700, focusing on patch diffing and reverse engineering of the dyld component in iOS. It includes insights into the memory corruption issue and potential attack chains involving WebKit bugs.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Complex
Reliability
Theoretical
Target: Apple dyld (iOS 26.2.1 and earlier)
No auth needed
Prerequisites: Memory write capability · Knowledge of dyld internals
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (6)

Core 6
Core References
Release Notes, Vendor Advisory
https://support.apple.com/en-us/126346
Release Notes, Vendor Advisory
https://support.apple.com/en-us/126348
Release Notes, Vendor Advisory
https://support.apple.com/en-us/126351
Release Notes, Vendor Advisory
https://support.apple.com/en-us/126352
Release Notes, Vendor Advisory
https://support.apple.com/en-us/126353

Scores

CVSS v3 7.8
EPSS 0.0046
EPSS Percentile 64.4%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2026-02-12
VulnCheck KEV 2026-02-11
ENISA EUVD EUVD-2026-6189
CWE
CWE-119
Status published
Products (11)
Apple/iOS and iPadOS < 26.3
apple/ipados < 26.3
apple/iphone_os < 26.3
apple/macos < 26.3
Apple/macOS < 26.3
apple/tvos < 26.3
Apple/tvOS < 26.3
apple/visionos < 26.3
Apple/visionOS < 26.3
apple/watchos < 26.3
... and 1 more
Published Feb 11, 2026
KEV Added Feb 12, 2026
Tracked Since Feb 18, 2026