Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
A permissions issue was addressed with additional restrictions. This issue is fixed in iOS 26.4 and iPadOS 26.4, tvOS 26.4, visionOS 26.4, watchOS 26.4. An app may be able to fingerprint the user.
AnalysisAI
A permissions issue across Apple's ecosystem allows applications to fingerprint users by accessing information that should be restricted. The vulnerability affects iOS and iPadOS versions prior to 26.4, tvOS prior to 26.4, visionOS prior to 26.4, and watchOS prior to 26.4. Attackers can exploit this by deploying a malicious app that leverages inadequate permission restrictions to collect device and user identifiers for tracking and profiling purposes. The issue has been addressed by Apple through additional permission restrictions in the patched versions, indicating this is a known vulnerability with an available fix.
Technical ContextAI
This vulnerability stems from insufficient permission controls in Apple's operating systems that govern application access to user identification data. The CWE category of Information Disclosure indicates that the root cause involves unauthorized access to sensitive information through inadequate permission enforcement. The affected CPEs span multiple Apple platforms (iOS/iPadOS, tvOS, visionOS, and watchOS), suggesting a systemic permission architecture issue rather than platform-specific implementation flaws. The fingerprinting capability exploits the absence of proper gating mechanisms that should restrict which applications can access identifiers used for user tracking, device identification, or cross-application correlation.
RemediationAI
Update to iOS and iPadOS version 26.4 or later, tvOS version 26.4 or later, visionOS version 26.4 or later, and watchOS version 26.4 or later as soon as possible. These updates implement additional permission restrictions that prevent unauthorized fingerprinting. Users should enable automatic updates in their device settings to receive security patches immediately upon release. In environments where immediate patching is not feasible, implement app vetting procedures to restrict installation of applications from untrusted sources, and consider using Mobile Device Management (MDM) solutions to enforce security policies and restrict app installations. Review installed applications for suspicious behavior or unfamiliar permissions requests related to device identifiers or user tracking capabilities.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15139
GHSA-9q9v-gcpr-jqgv