Description
A permissions issue was addressed with additional restrictions. This issue is fixed in iOS 26.1 and iPadOS 26.1, macOS Tahoe 26.1, tvOS 26.1, visionOS 26.1, watchOS 26.1. An app may be able to enumerate a user's installed apps.
Published: 2025-11-04
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Information disclosure via permissions bypass
Action: Immediate patch
AI Analysis

Impact

The vulnerability is a permissions issue that allows an application to enumerate the list of apps installed on a device. This falls under CWE‑288 Unauthorized Access to Resource. Enumerating installed apps can expose sensitive usage patterns and potentially reveal personal data. The impact is primarily an information disclosure risk, compromising user privacy and potentially enabling targeted attacks by revealing installed software.

Affected Systems

The issue affects multiple Apple operating systems: iOS, iPadOS, macOS, tvOS, visionOS, and watchOS. Versions prior to 26.1 are vulnerable, while the fix is delivered in iOS 26.1, iPadOS 26.1, macOS 26.1, tvOS 26.1, visionOS 26.1, and watchOS 26.1.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity, but the EPSS score of less than 1% shows a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to run malicious or misconfigured apps on the device to leverage the enumeration vector, making the attack likely local and requiring device access. The risk is significant for environments that store sensitive data in installed applications and for users who value privacy.

Generated by OpenCVE AI on April 22, 2026 at 21:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Push the latest OS update (v 26.1 or later) to all affected Apple devices, which enforces the missing permissions restriction.
  • Limit or disable the installation of third‑party applications that are not verified or authorized by your device management policy, reducing the attack surface.
  • Enable device auditing and monitoring to detect anomalous app enumeration activity, and enforce strict access controls on system APIs that expose installation information.

Generated by OpenCVE AI on April 22, 2026 at 21:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
Title Permissions Bypass Allows Enumeration of Installed Apps

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description A permissions issue was addressed with additional restrictions. This issue is fixed in tvOS 26.1, watchOS 26.1, macOS Tahoe 26.1, iOS 26.1 and iPadOS 26.1, visionOS 26.1. An app may be able to enumerate a user's installed apps. A permissions issue was addressed with additional restrictions. This issue is fixed in iOS 26.1 and iPadOS 26.1, macOS Tahoe 26.1, tvOS 26.1, visionOS 26.1, watchOS 26.1. An app may be able to enumerate a user's installed apps.

Wed, 17 Dec 2025 21:00:00 +0000

Type Values Removed Values Added
Description A permissions issue was addressed with additional restrictions. This issue is fixed in watchOS 26.1, iOS 26.1 and iPadOS 26.1, tvOS 26.1, visionOS 26.1. An app may be able to enumerate a user's installed apps. A permissions issue was addressed with additional restrictions. This issue is fixed in tvOS 26.1, watchOS 26.1, macOS Tahoe 26.1, iOS 26.1 and iPadOS 26.1, visionOS 26.1. An app may be able to enumerate a user's installed apps.
References

Tue, 04 Nov 2025 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Apple ipados
Apple iphone Os
Apple watchos
CPEs cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:visionos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:*
Vendors & Products Apple ipados
Apple iphone Os
Apple watchos

Tue, 04 Nov 2025 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple ios
Apple ipad Os
Apple tvos
Apple visionos
Apple watch Os
Vendors & Products Apple
Apple ios
Apple ipad Os
Apple tvos
Apple visionos
Apple watch Os

Tue, 04 Nov 2025 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-288
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 04 Nov 2025 01:45:00 +0000

Type Values Removed Values Added
Description A permissions issue was addressed with additional restrictions. This issue is fixed in watchOS 26.1, iOS 26.1 and iPadOS 26.1, tvOS 26.1, visionOS 26.1. An app may be able to enumerate a user's installed apps.
References

Subscriptions

Apple Ios Ipad Os Ipados Iphone Os Tvos Visionos Watch Os Watchos
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:20:19.239Z

Reserved: 2025-04-16T15:24:37.124Z

Link: CVE-2025-43436

cve-icon Vulnrichment

Updated: 2025-11-04T15:16:18.399Z

cve-icon NVD

Status : Modified

Published: 2025-11-04T02:15:49.467

Modified: 2026-04-02T19:20:46.463

Link: CVE-2025-43436

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T21:30:27Z

Weaknesses