Description
A logic issue was addressed with improved checks. This issue is fixed in iOS 26.1 and iPadOS 26.1. An attacker with physical access to a locked device may be able to view sensitive user information.
Published: 2025-11-04
Score: 4.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Apply Update
AI Analysis

Impact

The vulnerability is a logic flaw that allows an attacker with physical access to a locked device to view sensitive user information. The flaw is classified as CWE-200, indicating an information disclosure weakness. As a result, confidentiality of user data can be compromised if the device is accessed by a non‑authorized individual while it remains in a locked state.

Affected Systems

Apple's iOS and iPadOS operating systems are affected. The flaw is present in all builds prior to iOS 26.1 and iPadOS 26.1. Devices running any earlier release inherit this weakness, while the cited Apple versions contain the remediation.

Risk and Exploitability

The CVSS score of 4.6 denotes moderate severity. The EPSS score of less than 1% indicates a very low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, suggesting no known public exploitation. The attack vector is inferred to be local physical access to a locked device; remote exploitation is not supported by the description.

Generated by OpenCVE AI on April 22, 2026 at 21:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the device to iOS 26.1 or iPadOS 26.1 or later.
  • If an upgrade is not immediately attainable, ensure the device remains in a physically secure location and keep it locked to prevent unauthorized physical access.
  • Maintain the device with the latest firmware through trusted connections and verify that no legacy bootloader or firmware versions remain installed.

Generated by OpenCVE AI on April 22, 2026 at 21:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://support.apple.com/en-us/125632 cve-icon cve-icon
History

Wed, 22 Apr 2026 22:00:00 +0000

Type Values Removed Values Added
Title Logic flaw allowing physical access attacker to view sensitive data on locked iOS and iPadOS devices

Tue, 04 Nov 2025 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Apple iphone Os
CPEs cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
Vendors & Products Apple iphone Os

Tue, 04 Nov 2025 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple ios
Apple ipados
Vendors & Products Apple
Apple ios
Apple ipados

Tue, 04 Nov 2025 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
Metrics cvssV3_1

{'score': 4.6, 'vector': 'CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 04 Nov 2025 01:45:00 +0000

Type Values Removed Values Added
Description A logic issue was addressed with improved checks. This issue is fixed in iOS 26.1 and iPadOS 26.1. An attacker with physical access to a locked device may be able to view sensitive user information.
References

Subscriptions

Apple Ios Ipados Iphone Os
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:19:40.595Z

Reserved: 2025-04-16T15:24:37.126Z

Link: CVE-2025-43460

cve-icon Vulnrichment

Updated: 2025-11-04T15:18:44.584Z

cve-icon NVD

Status : Analyzed

Published: 2025-11-04T02:15:51.410

Modified: 2025-11-04T17:51:32.673

Link: CVE-2025-43460

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T21:45:06Z

Weaknesses