Description
This issue was addressed by restricting options offered on a locked device. This issue is fixed in macOS Sequoia 15.7.2, macOS Sonoma 14.8.2, macOS Tahoe 26.1. An attacker with physical access may be able to access contacts from the lock screen.
Published: 2025-11-04
Score: 2.4 Low
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Contact Disclosure
Action: Apply Patch
AI Analysis

Impact

A flaw in the locked‑screen behaviour of macOS allows an attacker who has physical access to read the device’s contacts from the lock screen. The weakness is an authentication and access control issue, identified as CWE‑284, resulting in the undisclosed personal data of users being exposed without their consent. The vulnerability does not grant higher privileges or remote code execution but compromises confidentiality of contact information.

Affected Systems

Apple’s macOS operating system is affected. Versions prior to macOS Sequoia 15.7.2, macOS Sonoma 14.8.2, and macOS Tahoe 26.1 contain the flaw; the specified releases contain the fix. All earlier releases of these macOS lines should be considered vulnerable.

Risk and Exploitability

The CVSS score is 2.4, indicating low severity. The EPSS score is less than 1 %, and the vulnerability is not listed in CISA’s KEV catalog, implying a low likelihood of exploitation. Because the attack vector is physical access, attackers need proximity to the device, limiting the threat surface. Although the data disclosure could be sensitive to the victim, the overall risk to systems or broader organizational infrastructure remains low.

Generated by OpenCVE AI on April 27, 2026 at 23:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update macOS to at least Sequoia 15.7.2, Sonoma 14.8.2, or Tahoe 26.1, which remove the flaw.
  • Ensure that the device remains physically secured and the lock screen remains active; use a strong password or biometric authentication.
  • If an update is temporarily unavailable, configure System Settings to prevent contacts from being displayed on the lock screen or disable the contacts feature entirely.

Generated by OpenCVE AI on April 27, 2026 at 23:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Title Contact Disclosure via Lock Screen with Physical Access on macOS

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description This issue was addressed by restricting options offered on a locked device. This issue is fixed in macOS Sequoia 15.7.2, macOS Tahoe 26.1, macOS Sonoma 14.8.2. An attacker with physical access may be able to access contacts from the lock screen. This issue was addressed by restricting options offered on a locked device. This issue is fixed in macOS Sequoia 15.7.2, macOS Sonoma 14.8.2, macOS Tahoe 26.1. An attacker with physical access may be able to access contacts from the lock screen.

Wed, 17 Dec 2025 21:00:00 +0000

Type Values Removed Values Added
Description This issue was addressed by restricting options offered on a locked device. This issue is fixed in macOS Sonoma 14.8.2, macOS Sequoia 15.7.2. An attacker with physical access may be able to access contacts from the lock screen. This issue was addressed by restricting options offered on a locked device. This issue is fixed in macOS Sequoia 15.7.2, macOS Tahoe 26.1, macOS Sonoma 14.8.2. An attacker with physical access may be able to access contacts from the lock screen.
References

Tue, 04 Nov 2025 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple macos Sequoia
Apple macos Sonoma
Vendors & Products Apple macos Sequoia
Apple macos Sonoma

Tue, 04 Nov 2025 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
CPEs cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos

Tue, 04 Nov 2025 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
Metrics cvssV3_1

{'score': 2.4, 'vector': 'CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 04 Nov 2025 01:45:00 +0000

Type Values Removed Values Added
Description This issue was addressed by restricting options offered on a locked device. This issue is fixed in macOS Sonoma 14.8.2, macOS Sequoia 15.7.2. An attacker with physical access may be able to access contacts from the lock screen.
References

Subscriptions

Apple Macos Macos Sequoia Macos Sonoma
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:11:09.884Z

Reserved: 2025-04-16T15:24:37.121Z

Link: CVE-2025-43408

cve-icon Vulnrichment

Updated: 2025-11-04T13:37:38.578Z

cve-icon NVD

Status : Modified

Published: 2025-11-04T02:15:47.217

Modified: 2026-04-02T19:20:41.280

Link: CVE-2025-43408

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T23:30:15Z

Weaknesses