Description
A privacy issue was addressed by removing sensitive data. This issue is fixed in iOS 18.5 and iPadOS 18.5. Call history from deleted apps may still appear in spotlight search results.
Published: 2025-05-12
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Apply Update
AI Analysis

Impact

This privacy vulnerability allows sensitive call history from apps that have been deleted to appear in Spotlight search results, potentially exposing personal communication records. The flaw stems from the incomplete removal of call logs when an app is deleted, leading to inadvertent disclosure of private data (CWE‑200). While the vulnerability does not grant traditional unauthorized access or code execution, it does compromise confidentiality by exposing personal information that should have been fully removed.

Affected Systems

Apple iOS and iPadOS devices running versions prior to iOS 18.5 or iPadOS 18.5 are affected. The issue is fixed in iOS 18.5 and iPadOS 18.5. Devices with earlier releases remain vulnerable.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity vulnerability, though the EPSS score of less than 1% suggests very low exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Attackers or even ordinary users can trigger the issue simply by performing a Spotlight search on the device; no special privileges or network access are required. The likely attack vector is local device use, where Spotlight queries the undisposed storage and surfaces the residual call history.

Generated by OpenCVE AI on April 28, 2026 at 01:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Download and install the iOS 18.5 or iPadOS 18.5 update to remove the residual call history bug.
  • Restart the device to allow the Spotlight index to refresh and confirm that deleted app call logs no longer appear.
  • If the issue persists after the update, consult Apple support through the provided link or report it via the Apple Support page for further assistance.

Generated by OpenCVE AI on April 28, 2026 at 01:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-14624 A privacy issue was addressed by removing sensitive data. This issue is fixed in iOS 18.5 and iPadOS 18.5. Call history from deleted apps may still appear in spotlight search results.
History

Tue, 28 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Title Privacy Leak: Deleted App Call History Appears in Spotlight Search

Mon, 03 Nov 2025 20:30:00 +0000

Type Values Removed Values Added
References

Tue, 27 May 2025 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple ipados
Apple iphone Os
CPEs cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
Vendors & Products Apple
Apple ipados
Apple iphone Os

Tue, 13 May 2025 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 12 May 2025 21:45:00 +0000

Type Values Removed Values Added
Description A privacy issue was addressed by removing sensitive data. This issue is fixed in iOS 18.5 and iPadOS 18.5. Call history from deleted apps may still appear in spotlight search results.
References

Subscriptions

Apple Ipados Iphone Os
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:14:52.906Z

Reserved: 2025-03-27T16:13:58.321Z

Link: CVE-2025-31225

cve-icon Vulnrichment

Updated: 2025-11-03T19:50:28.592Z

cve-icon NVD

Status : Modified

Published: 2025-05-12T22:15:23.230

Modified: 2025-11-03T20:18:19.957

Link: CVE-2025-31225

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T02:00:15Z

Weaknesses