ZDI 2026-03-30

ZDI-26-230: Apple macOS CoreMedia Framework Out-Of-Bounds Write Remote Code Execution Vulnerability

CVE-2026-20690

Machine-generated analysis · WAYSCloud LLM

The vulnerability is an out-of-bounds write in the CoreMedia framework requiring user interaction for remote code execution.

Context

The affected component is Apple macOS, specifically the CoreMedia framework. The vulnerability is an out-of-bounds write that can be triggered remotely. Exploitation requires user interaction, such as visiting a malicious page or opening a malicious file. The ZDI assigned a CVSS score of 8.8, indicating high severity according to their rating.

Operator considerations

Check: Verify if systems are running affected versions of macOS with the vulnerable CoreMedia framework.

From Zero Day Initiative ↗

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Apple macOS. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 8.8. The following CVEs are assigned: CVE-2026-20690.

Read the full advisory on ZDI →