Skip to main content

Apple EUVDEUVD-2026-15164

| CVE-2026-28882 MEDIUM
2026-03-25 apple GHSA-jffc-gvjg-4h86
4.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.0 MEDIUM
AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
26.4
EUVD ID Assigned
Mar 25, 2026 - 01:00 euvd
EUVD-2026-15164
Analysis Generated
Mar 25, 2026 - 01:00 vuln.today
CVE Published
Mar 25, 2026 - 00:31 nvd
MEDIUM 4.0

DescriptionCVE.org

This issue was addressed with improved checks. This issue is fixed in iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, watchOS 26.4. An app may be able to enumerate a user's installed apps.

AnalysisAI

An information disclosure vulnerability in Apple's operating systems allows applications to enumerate a user's installed apps without proper authorization. This affects iOS, iPadOS, macOS, tvOS, visionOS, and watchOS versions prior to 26.4. An attacker can distribute a malicious app that queries the system to discover what applications a user has installed, potentially enabling targeted attacks or privacy violations. No CVSS score, EPSS data, or known public exploits are currently documented, but the vulnerability has been fixed across all Apple platforms, indicating Apple assessed this as requiring immediate remediation.

Technical ContextAI

The vulnerability exists in Apple's app enumeration mechanisms across their entire ecosystem (iOS, iPadOS, macOS, tvOS, visionOS, watchOS). The root cause is classified as an information disclosure issue (CWE category), stemming from insufficient access controls on APIs or system calls that expose the list of installed applications. Affected CPE entries span cpe:2.3:a:apple:ios_and_ipados, cpe:2.3:a:apple:macos, cpe:2.3:a:apple:tvos, cpe:2.3:a:apple:visionos, and cpe:2.3:a:apple:watchos. The vulnerability allows third-party applications to bypass privacy protections that should restrict visibility into a user's installed app inventory, a fundamental iOS/macOS security model principle that prevents profiling and targeted exploitation.

RemediationAI

Immediately update all Apple devices to version 26.4 or later: upgrade iOS and iPadOS to 26.4, macOS to Tahoe 26.4, tvOS to 26.4, visionOS to 26.4, and watchOS to 26.4. Complete patch availability across all platforms means no interim workarounds are necessary. Users should enable automatic software updates to receive the fix immediately. Organizations with supervised device management should deploy forced updates to macOS and iOS devices. Reference Apple's security advisories at https://support.apple.com/en-us/126792 (iOS/iPadOS), https://support.apple.com/en-us/126794 (macOS), https://support.apple.com/en-us/126797 (tvOS), https://support.apple.com/en-us/126798 (visionOS), and https://support.apple.com/en-us/126799 (watchOS) for release notes and deployment guidance.

Share

EUVD-2026-15164 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy