Description
A logic issue was addressed with improved validation. This issue is fixed in iOS 26.2 and iPadOS 26.2. Restoring from a backup may prevent passcode from being required immediately after Face ID enrollment.
Published: 2026-01-09
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Potential bypass of passcode enforcement
Action: Patch
AI Analysis

Impact

A logic flaw in the system validation allows the device to skip the passcode prompt when a backup is restored immediately after a Face ID enrollment. This flaw can lead to unauthorized use of the device if an attacker has physical access. The weakness maps to improper authentication, as it permits access without the expected passcode credential.

Affected Systems

Apple’s iOS and iPadOS operating systems are impacted. Prior to version 26.2 of each OS the flaw exists, and the issue is fixed in iOS 26.2 and iPadOS 26.2. Devices running earlier releases without the update could be vulnerable.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity, and the EPSS score of less than 1 % suggests a very low probability of exploitation. The vulnerability is not in the CISA KEV catalog. The attack requires physical access to perform a backup restore after a Face ID enrollment, and no remote exploitation surface is described. The likely vector is a local victim device or account that an attacker can manipulate, with remediation available through an OS update.

Generated by OpenCVE AI on April 22, 2026 at 20:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the device to iOS 26.2 or iPadOS 26.2 to receive the validation fix.
  • If an update is not immediately possible, avoid restoring backups until a passcode is configured on the device.
  • After performing a backup restore, verify that the passcode prompt appears before using Face ID or other authentication methods.

Generated by OpenCVE AI on April 22, 2026 at 20:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://support.apple.com/en-us/125884 cve-icon cve-icon
History

Wed, 14 Jan 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Apple ipados
Apple iphone Os
CPEs cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
Vendors & Products Apple ipados
Apple iphone Os

Mon, 12 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple ios
Apple ipad Os
Vendors & Products Apple
Apple ios
Apple ipad Os

Fri, 09 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-288
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 09 Jan 2026 21:30:00 +0000

Type Values Removed Values Added
Description A logic issue was addressed with improved validation. This issue is fixed in iOS 26.2 and iPadOS 26.2. Restoring from a backup may prevent passcode from being required immediately after Face ID enrollment.
References

Subscriptions

Apple Ios Ipad Os Ipados Iphone Os
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:18:29.314Z

Reserved: 2025-04-22T21:13:49.959Z

Link: CVE-2025-46286

cve-icon Vulnrichment

Updated: 2026-01-09T21:34:44.722Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-09T22:15:59.407

Modified: 2026-01-14T17:46:11.003

Link: CVE-2025-46286

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T20:15:20Z

Weaknesses