Apple Patches Critical CoreMedia RCE Vulnerability (CVE-2026-20690) in macOS

Apple has released a security update to address CVE-2026-20690, a critical vulnerability in the CoreMedia framework that could allow remote code execution on macOS. The flaw, reported by Hossein Lotfi of Trend Micro's Zero Day Initiative, carries a CVSS score of 8.8 and affects all supported versions of macOS.

The vulnerability is an out-of-bounds write issue within the CoreMedia framework, which handles media playback and processing. The bug stems from improper validation of user-supplied data, allowing an attacker to write past the end of an allocated buffer. Exploitation requires user interaction, such as visiting a malicious webpage or opening a crafted file. If successfully exploited, an attacker could execute arbitrary code in the context of the current process, potentially gaining full control of the system.

Apple has addressed the vulnerability in macOS Sequoia 15.4, macOS Sonoma 14.7.5, and macOS Ventura 13.7.5. Users are strongly advised to update their systems immediately via Software Update or Apple's security response mechanism. The advisory is available on Apple's support page.

This vulnerability was disclosed through the Zero Day Initiative's coordinated disclosure process, with Apple releasing the patch on March 30, 2026. The timeline shows the vulnerability was reported on January 9, 2026, and the advisory was updated on the same day as the public release.

CoreMedia is a core component of macOS, used by various applications for media handling. Given the widespread use of macOS in enterprise and consumer environments, this vulnerability poses a significant risk. Users should prioritize applying the update to mitigate potential attacks.

This is the latest in a series of critical vulnerabilities patched by Apple in 2026, highlighting the ongoing need for prompt security updates. The Zero Day Initiative credited Hossein Lotfi for discovering the flaw.