Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
5DescriptionCVE.org
A privacy issue was addressed with improved checks. This issue is fixed in iOS 26.5 and iPadOS 26.5. A user may be able to view restricted content from the lock screen.
AnalysisAI
Lock screen bypass in iOS and iPadOS versions prior to 26.5 allows unauthorized access to restricted content without authentication. Apple's security advisory HT227110 confirms the privacy issue affected lock screen content filtering mechanisms. Despite CVSS 7.5 scoring suggesting network exploitation, the vulnerability requires physical access to a locked device, creating a significant disparity between theoretical severity and practical attack surface. EPSS probability of 0.02% (5th percentile) indicates minimal observed exploitation attempts, and no CISA KEV listing or public exploit code exists at time of analysis.
Technical ContextAI
This vulnerability stems from CWE-284 (Improper Access Control) in iOS and iPadOS lock screen content filtering mechanisms. The affected component is the lock screen authorization framework responsible for enforcing privacy boundaries between locked and unlocked device states. According to CPE designation cpe:2.3:a:apple:ios_and_ipados:*:*:*:*:*:*:*:*, all iOS and iPadOS versions prior to 26.5 contain the flaw. Apple's fix introduced improved authorization checks to properly validate user authentication state before rendering potentially sensitive content on the lock screen, addressing a gap where content classification or access control logic failed to respect the locked device boundary.
RemediationAI
Update to iOS 26.5 or iPadOS 26.5 immediately via Settings > General > Software Update. Apple's security advisory HT227110 at https://support.apple.com/en-us/127110 confirms the fix. For organizations unable to deploy the update immediately, implement compensating controls: enforce aggressive auto-lock timeouts (30 seconds maximum) via MDM configuration profile to minimize physical access window, disable lock screen notification previews and Siri access from lock screen through Restrictions policy, and enable remote wipe capabilities for lost/stolen device scenarios. Note that disabling lock screen notifications degrades user experience by requiring unlock for all alerts. Organizations with kiosk-mode deployments should prioritize patching as these devices have extended physical exposure to untrusted users.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29269
GHSA-w2x2-mw9r-hvc3