Apple macOS libusd_ms Alembic File Parsing Vulnerability Allows Remote Code Execution
Apple has patched a critical out-of-bounds write vulnerability (CVE-2026-20616) in macOS's libusd_ms library that could allow remote attackers to execute arbitrary code via a malicious Alembic file.
Apple has released a security update to address a critical vulnerability in macOS that could allow remote attackers to execute arbitrary code. The flaw, tracked as CVE-2026-20616 and reported by Michael DePlante of Trend Micro's Zero Day Initiative, resides in the libusd_ms library when parsing Alembic files.
The vulnerability is an out-of-bounds write issue stemming from improper validation of user-supplied data. An attacker can exploit this by crafting a malicious Alembic file and tricking a user into opening it. Successful exploitation leads to arbitrary code execution in the context of the current process, potentially giving the attacker full control over the affected system.
Alembic files are commonly used in visual effects and animation pipelines for storing 3D scene data. The libusd_ms library is part of Apple's Universal Scene Description (USD) framework, which is integrated into macOS for handling 3D content. This makes the vulnerability particularly concerning for users in creative industries such as film, gaming, and augmented reality development.
The vulnerability carries a CVSS score of 7.8, indicating high severity. While user interaction is required, the attack vector is local, meaning the attacker must first deliver the malicious file to the target system. However, given the prevalence of USD-based workflows, the risk of exploitation is significant.
Apple has issued a security update to correct the vulnerability. Users are strongly advised to apply the latest macOS updates as soon as possible. The advisory can be found at Apple's support page: https://support.apple.com/en-ca/126350.
This disclosure follows a coordinated timeline: the vulnerability was reported to Apple on November 19, 2025, and the advisory was publicly released on March 10, 2026. The Zero Day Initiative, which coordinated the disclosure, credited Michael DePlante for discovering the flaw.
This vulnerability highlights the ongoing risks in parsing complex file formats within widely used frameworks. As 3D content becomes more integrated into operating systems and applications, similar parsing flaws are likely to emerge, emphasizing the need for rigorous input validation and prompt patching.