Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
5DescriptionCVE.org
An inconsistent user interface issue was addressed with improved state management. This issue is fixed in iOS 26.5 and iPadOS 26.5, visionOS 26.5. An app may be able to access sensitive user data.
AnalysisAI
Malicious applications on iOS 26.5, iPadOS 26.5, and visionOS 26.5 can access sensitive user data due to inconsistent user interface state management. The vulnerability stems from UI state handling flaws (CWE-451) that allow apps to bypass expected data access controls. Apple has released patches in iOS/iPadOS 26.5 and visionOS 26.5. Despite a CVSS score of 7.5 (High), the EPSS score of 0.02% (5th percentile) indicates minimal observed exploitation probability in the wild. No public exploit code or CISA KEV listing identified at time of analysis, suggesting this is primarily a platform-hardening fix rather than an actively targeted vulnerability.
Technical ContextAI
This vulnerability exploits CWE-451 (User Interface Misrepresentation of Critical Information), specifically through inconsistent state management in Apple's operating system UI frameworks. The affected products are iOS and iPadOS versions prior to 26.5, and visionOS versions prior to 26.5, as confirmed by CPE strings cpe:2.3:a:apple:ios_and_ipados:*:*:*:*:*:*:*:* and cpe:2.3:a:apple:visionos:*:*:*:*:*:*:*:*. UI state management controls how applications interact with system-level permission prompts, data access controls, and user consent workflows. When state transitions are handled inconsistently, malicious applications can potentially access sensitive data (contacts, photos, location, health data) without proper user authorization or by manipulating the UI state to bypass permission checks. The CVSS vector AV:N/AC:L/PR:N/UI:N indicates network-accessible attack surface with low complexity, though the description context suggests the actual attack requires a malicious app already installed on the device, creating tension between the CVSS vector and the described attack scenario.
RemediationAI
Update to Apple-released patched versions: iOS 26.5, iPadOS 26.5, or visionOS 26.5 as documented in Apple security advisories HT127110 and HT127120 (https://support.apple.com/en-us/127110, https://support.apple.com/en-us/127120). For devices that cannot immediately update, implement compensating controls through Mobile Device Management (MDM) policies: restrict third-party application installation to only vetted enterprise apps via allowlisting, disable sideloading and developer mode, and enforce App Store-only installation policies. Note these mitigations reduce attack surface but do not eliminate risk if malicious apps are already installed or if users have administrative control. Review application permissions for existing installed apps and revoke unnecessary data access permissions in Settings > Privacy & Security. For enterprise deployments, prioritize updates for devices with sensitive data access (executive devices, healthcare/finance sector use cases) and consider phased rollout testing the iOS 26.5 update for application compatibility before broad deployment.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29268
GHSA-2899-6rgx-h9c6