Apple Patches CVE-2026-20634: Out-of-Bounds Read in macOS ImageIO via Crafted SGI Files

Apple has issued a security update addressing CVE-2026-20634, an out-of-bounds read vulnerability in the macOS ImageIO framework that could allow an attacker to disclose sensitive information. The flaw, reported by researcher George Karchemsky (@gkarchemsky) and disclosed through the Zero Day Initiative (ZDI-26-175), resides in how ImageIO parses SGI image files. An attacker can exploit the vulnerability can be exploited by convincing a user to open a malicious SGI file, potentially leading to information disclosure.

The specific weakness lies in the ImageIO's handling of crafted data in SGI images can trigger a read past the end of an allocated buffer. While the CVSS score for this vulnerability is relatively low at 3.3 (AV:L/AC:L/PR:N/UI:R/UI:R/S:U/C:L/I:N/I:N/A:N), the advisory notes that an attacker could leverage this flaw in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. This makes it a potential stepping stone in a multi-stage attack chain.

The vulnerability affects all versions of macOS prior to the security update. Apple has released a fix as part of its March 2026 security updates, available via the standard software update mechanism. Users are strongly advised to apply the update promptly to mitigate the risk.

This disclosure follows a coordinated timeline: the vulnerability was reported to Apple on November 5, 2025, and the advisory was publicly released on March 10, 2026. The ZDI advisory credits George Kar for discovering the flaw.

While the immediate impact of CVE-2026-20634 is limited to information disclosure, its inclusion in Apple's security update cycle underscores the company's ongoing efforts to harden its image parsing libraries. Image processing frameworks have historically been a rich attack surface for memory corruption vulnerabilities, and this patch closes another potential entry point for attackers targeting macOS users.