Skip to main content

Apple CVE-2026-28878

| EUVDEUVD-2026-15157 MEDIUM
Information Exposure (CWE-200)
2026-03-25 apple
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
Low

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
14.8.5,18.7.7,26.4
EUVD ID Assigned
Mar 25, 2026 - 01:00 euvd
EUVD-2026-15157
Analysis Generated
Mar 25, 2026 - 01:00 vuln.today
CVE Published
Mar 25, 2026 - 00:32 nvd
MEDIUM 6.5

DescriptionCVE.org

A privacy issue was addressed by removing sensitive data. This issue is fixed in iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Sonoma 14.8.5, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, watchOS 26.4. An app may be able to enumerate a user's installed apps.

AnalysisAI

A privacy vulnerability in Apple's operating systems allows third-party applications to enumerate a user's installed applications, resulting in unauthorized information disclosure about device software inventory. The vulnerability affects iOS and iPadOS versions prior to 18.7.7 and 26.4, macOS Sonoma prior to 14.8.5, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, and watchOS 26.4 across all affected product lines. An attacker can exploit this vulnerability by crafting a malicious application that leverages the enumeration capability to profile a user's installed software, potentially enabling further targeted attacks or privacy inference attacks based on application usage patterns.

Technical ContextAI

The vulnerability exists in Apple's application sandboxing and inter-process communication mechanisms across multiple operating systems (iOS/iPadOS, macOS, tvOS, visionOS, watchOS as indicated by CPE strings cpe:2.3:a:apple:ios_and_ipados, cpe:2.3:a:apple:macos, cpe:2.3:a:apple:tvos, cpe:2.3:a:apple:visionos, cpe:2.3:a:apple:watchos). The root cause appears to be insufficient access controls or improper filtering of sensitive system metadata that exposes installed application information to unprivileged processes. This is classified as an Information Disclosure vulnerability where the attack surface involves application-level queries to system APIs that should be restricted or require explicit user consent. The underlying weakness relates to improper restriction of sensitive resource access, where applications can query the device's package or application registry without proper authorization checks.

RemediationAI

Immediately update to the patched versions: iOS and iPadOS 18.7.7 or 26.4, macOS Sonoma 14.8.5, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, or watchOS 26.4, depending on affected device. Enable automatic security updates in Settings > General > Software Update > Automatic Updates to ensure timely installation of patches. Until patching is complete, users should review installed third-party applications and uninstall untrusted or unnecessary applications that could exploit this vulnerability to profile device software inventory. Administrators in enterprise environments should enforce mandatory update policies through MDM/MAM solutions and monitor for suspicious applications requesting system information APIs.

Share

CVE-2026-28878 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy