Skip to main content

iOS and iPadOS CVE-2026-28965

| EUVDEUVD-2026-29269 HIGH
Improper Access Control (CWE-284)
2026-05-11 apple GHSA-w2x2-mw9r-hvc3
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

5
Analysis Generated
May 12, 2026 - 14:27 vuln.today
CVSS changed
May 12, 2026 - 14:22 NVD
7.5 (HIGH)
Patch available
May 11, 2026 - 22:18 EUVD
CVE Published
May 11, 2026 - 20:08 nvd
UNKNOWN (no severity yet)
CVE Published
May 11, 2026 - 20:08 nvd
HIGH 7.5

DescriptionCVE.org

A privacy issue was addressed with improved checks. This issue is fixed in iOS 26.5 and iPadOS 26.5. A user may be able to view restricted content from the lock screen.

AnalysisAI

Lock screen bypass in iOS and iPadOS versions prior to 26.5 allows unauthorized access to restricted content without authentication. Apple's security advisory HT227110 confirms the privacy issue affected lock screen content filtering mechanisms. Despite CVSS 7.5 scoring suggesting network exploitation, the vulnerability requires physical access to a locked device, creating a significant disparity between theoretical severity and practical attack surface. EPSS probability of 0.02% (5th percentile) indicates minimal observed exploitation attempts, and no CISA KEV listing or public exploit code exists at time of analysis.

Technical ContextAI

This vulnerability stems from CWE-284 (Improper Access Control) in iOS and iPadOS lock screen content filtering mechanisms. The affected component is the lock screen authorization framework responsible for enforcing privacy boundaries between locked and unlocked device states. According to CPE designation cpe:2.3:a:apple:ios_and_ipados:*:*:*:*:*:*:*:*, all iOS and iPadOS versions prior to 26.5 contain the flaw. Apple's fix introduced improved authorization checks to properly validate user authentication state before rendering potentially sensitive content on the lock screen, addressing a gap where content classification or access control logic failed to respect the locked device boundary.

RemediationAI

Update to iOS 26.5 or iPadOS 26.5 immediately via Settings > General > Software Update. Apple's security advisory HT227110 at https://support.apple.com/en-us/127110 confirms the fix. For organizations unable to deploy the update immediately, implement compensating controls: enforce aggressive auto-lock timeouts (30 seconds maximum) via MDM configuration profile to minimize physical access window, disable lock screen notification previews and Siri access from lock screen through Restrictions policy, and enable remote wipe capabilities for lost/stolen device scenarios. Note that disabling lock screen notifications degrades user experience by requiring unlock for all alerts. Organizations with kiosk-mode deployments should prioritize patching as these devices have extended physical exposure to untrusted users.

Share

CVE-2026-28965 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy