CVE-2025-46288

MEDIUM
2025-12-17 [email protected]
5.5
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Apr 02, 2026 - 19:37 vuln.today
CVE Published
Dec 17, 2025 - 21:16 nvd
MEDIUM 5.5

Tags

Apple iOS Information Disclosure Privilege Escalation Ipados Iphone Os Visionos Watchos

Description

A permissions issue was addressed with additional restrictions. This issue is fixed in iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, visionOS 26.2, watchOS 26.2. An app may be able to access sensitive payment tokens.

Analysis

Local privilege escalation in Apple operating systems (iOS, iPadOS, macOS Tahoe, visionOS, watchOS) allows authenticated applications to bypass payment token access restrictions and obtain sensitive payment credentials. The vulnerability affects all versions prior to the 26.2 release across affected platforms. CVSS 5.5 with low real-world exploitation risk (EPSS 0.01%), no public exploit identified, not listed in CISA KEV.

Technical Context

This vulnerability stems from a permissions enforcement failure (CWE-284: Improper Access Control) in Apple's multi-platform operating system payment security framework. The issue involves insufficient validation of application sandbox restrictions that protect sensitive payment tokens-cryptographic credentials used for financial transactions. The CVSS vector (AV:L, AC:L, PR:L) indicates the attack requires local access and authentication as an app with minimal user interaction, suggesting the flaw lies in the inter-process communication or file system access control mechanisms that gate payment token access. Affected CPE entries span iOS/iPhone OS, iPadOS, macOS, visionOS, and watchOS, indicating the vulnerability exists in a shared system component across Apple's entire operating system portfolio.

Affected Products

Apple iOS and iPhone OS prior to version 26.2, Apple iPadOS prior to version 26.2, Apple macOS Tahoe prior to version 26.2, Apple visionOS prior to version 26.2, and Apple watchOS prior to version 26.2. All versions of these platforms across all hardware variants are affected until patched to the 26.2 release or later. Vendor advisories available at https://support.apple.com/en-us/125884 (general), https://support.apple.com/en-us/125886, https://support.apple.com/en-us/125890, and https://support.apple.com/en-us/125891.

Remediation

Vendor-released patch: Apple operating system versions 26.2 or later for iOS, iPadOS, macOS Tahoe, visionOS, and watchOS. Users should update to these versions immediately via Settings > General > Software Update on iOS/iPadOS/visionOS/watchOS, or System Settings > General > Software Update on macOS. No interim workarounds are documented; the patch involves fundamental permission enforcement changes that cannot be mitigated at the application level. Installation is mandatory for all users to prevent malicious applications from extracting payment tokens. Full details available at https://support.apple.com/en-us/125884 and associated Apple security bulletins.

Priority Score

28
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +28
POC: 0

Share

CVE-2025-46288 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy