Apple Patches Critical Out-of-Bounds Write Bug in macOS Audio APAC Decoder (CVE-2026-20611)
Apple has released a security update for macOS to address CVE-2026-20611, a critical out-of-bounds write vulnerability in the Audio APAC frame decoder that could allow remote code execution with user interaction.
Apple has issued a security update to patch CVE-2026-20611, a high-severity out-of-bounds write vulnerability in the macOS Audio APAC frame decoder. The flaw, disclosed by the Zero Day Initiative (ZDI) on March 10, 2026, carries a CVSS score of 7.8 and could allow remote attackers to execute arbitrary code on affected systems, though exploitation requires user interaction such as visiting a malicious webpage or opening a crafted file.
The vulnerability resides in the way macOS validates user-supplied data during the decoding of APAC audio frames. Specifically, the software fails to properly check the bounds of an allocated buffer before writing data, leading to a write past the end of the buffer. An attacker can leverage this memory corruption to hijack the execution flow of the current process, achieving code execution in the context of the logged-in user. user. The issue was reported to Apple on December 16, 2025, by an anonymous researcher through the ZDI bug bounty program.
Apple has addressed CVE-2026-20611 in a security advisory details published on its support page. The update is available for all supported versions of macOS. Users are strongly advised to apply the patch immediately, as the vulnerability can be triggered remotely via web content or malicious files, making it a prime target for drive-by download attacks or phishing campaigns.
While no active exploitation has been reported in the wild at the time of disclosure, the ZDI advisory notes that the vulnerability is remotely exploitable and requires minimal privileges. The CVSS vector (AV:L/AC:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) indicates that although the attack vector is local (requiring user interaction), the impact on confidentiality, integrity, and availability is high. This makes CVE-2026-20611 a significant risk for enterprise environments where users may be tricked into opening malicious audio files or visiting compromised websites.
The Audio APAC codec is used by macOS for efficient audio compression and playback. This is not the first time Apple's media frameworks have been a source of critical vulnerabilities; similar out-of-bounds write bugs have been patched in previous versions of macOS and iOS in the ImageIO, AudioToolbox, and CoreMedia components. The recurring pattern underscores the challenge of securing complex multimedia parsing code, which often handles untrusted data from the web or email attachments.
Apple's advisory does not specify whether the vulnerability affects other Apple platforms such as iOS, iPadOS, or tvOS, but given the shared codebase, users of those devices should monitor for updates. The ZDI advisory credits the discovery to an anonymous researcher and notes that Apple released the fix on March 10, 2026, the same day the advisory was publicly disclosed.
Organizations should prioritize testing and deploying the macOS security update, especially on systems used for browsing or handling untrusted media files. As always, users should exercise caution when opening unsolicited links or attachments, even on patched systems, to reduce the risk of exploitation.