CVE-2026-20660: CFNetwork NSGZipDecoder Path Traversal to Arbitrary File Write
Vulnerability Overview CVE-2026-20660 is a path handling vulnerability in Apple’s CFNetwork framework that allows a remote attacker to write files to arbitrary locations on the victim’s filesystem by serving a malicious gzip file. Field Details Component CFNetwork (macOS) Impact A remote user may be able to write arbitrary files Fix Description A path handling issue was addressed with improved logic Fixed In Safari 26.3 / macOS Sequoia 26.3 (2026-02-11) Discovered By Amy Vulnerability Class Path Traversal via Gzip FNAME header (RFC 1952) Trigger Condition Safari “Open safe files after downloading” enabled (on by default) Advisory Apple Security Release - Safari 26.3 Disclosure note: This is a 1-day analysis performed independently after Apple released the fix in Safari 26.3. The original vulnerability was discovered and reported by Amy. All testing was conducted on macOS with the affected version (Safari 26.2 / macOS 26.2.1) against locally controlled systems. ...