Description
This issue was addressed with additional entitlement checks. This issue is fixed in iOS 26 and iPadOS 26, macOS Tahoe 26, tvOS 26, visionOS 26, watchOS 26. An app may be able to fingerprint the user.
Published: 2025-11-04
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: User fingerprinting
Action: Patch
AI Analysis

Impact

An additional entitlement check was required to prevent apps from collecting device information that could identify a user. Without the check, an application may be able to fingerprint the user by retrieving identifiers or other device attributes, leading to a privacy breach. The weakness is classified as CWE-200, exposing sensitive information.

Affected Systems

Apple releases for iOS, iPadOS, macOS, tvOS, visionOS, and watchOS are affected. The firmware fix is available in versions 26 of each platform, but the specific earlier releases that remain vulnerable are not enumerated in the advisory.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity. EPSS is below 1 %, suggesting low exploitation probability, and the vulnerability is not in the CISA KEV catalogue. An attacker would need to install or exploit a malicious app that can read device identifiers. Because the flaw hinges on missing entitlement validation, the attack is likely local, requiring the app to run on the device, but it can be leveraged by any application that has appropriate installation privileges.

Generated by OpenCVE AI on April 27, 2026 at 23:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Apple OS update that includes the entitlement checks for iOS, iPadOS, macOS, tvOS, visionOS, or watchOS.
  • Ensure that apps do not request or use device identifiers beyond what is permitted by the platform’s entitlement model.
  • Monitor app installations for unexpected use of device identifiers and enforce strict app review policies.

Generated by OpenCVE AI on April 27, 2026 at 23:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 23:30:00 +0000

Type Values Removed Values Added
Title Apple OS Fingerprinting Vulnerability via Missing Entitlement Check

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description This issue was addressed with additional entitlement checks. This issue is fixed in visionOS 26, tvOS 26, iOS 26 and iPadOS 26, watchOS 26. An app may be able to fingerprint the user. This issue was addressed with additional entitlement checks. This issue is fixed in iOS 26 and iPadOS 26, macOS Tahoe 26, tvOS 26, visionOS 26, watchOS 26. An app may be able to fingerprint the user.
References

Tue, 04 Nov 2025 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Apple iphone Os
CPEs cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:visionos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:*
Vendors & Products Apple iphone Os

Tue, 04 Nov 2025 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple ios
Apple ipados
Apple tvos
Apple visionos
Apple watchos
Vendors & Products Apple
Apple ios
Apple ipados
Apple tvos
Apple visionos
Apple watchos

Tue, 04 Nov 2025 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 04 Nov 2025 01:45:00 +0000

Type Values Removed Values Added
Description This issue was addressed with additional entitlement checks. This issue is fixed in visionOS 26, tvOS 26, iOS 26 and iPadOS 26, watchOS 26. An app may be able to fingerprint the user.
References

Subscriptions

Apple Ios Ipados Iphone Os Tvos Visionos Watchos
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:19:07.480Z

Reserved: 2025-04-16T15:24:37.108Z

Link: CVE-2025-43323

cve-icon Vulnrichment

Updated: 2025-11-04T15:21:28.611Z

cve-icon NVD

Status : Modified

Published: 2025-11-04T02:15:39.347

Modified: 2026-04-02T19:20:26.110

Link: CVE-2025-43323

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T23:15:06Z

Weaknesses