Description
A logic issue was addressed with improved checks. This issue is fixed in iOS 26.3 and iPadOS 26.3. A user with Live Caller ID app extensions turned off could have identifying information leaked to the extensions.
Published: 2026-02-11
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Patch
AI Analysis

Impact

A logic flaw in iOS and iPadOS causes identifying information to be leaked to Live Caller ID app extensions when those extensions are disabled. The vulnerability stems from insufficient access control checks, allowing the extensions to access data they should not when the app’s extension is turned off. This results in unintended disclosure of user identifiers.

Affected Systems

Clients affected include Apple iOS and iPadOS devices running any version prior to iOS 26.3 and iPadOS 26.3. The issue specifically impacts users who have turned off Live Caller ID app extensions.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity, while the extremely low EPSS (<1%) suggests limited current exploitation likelihood. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the attack vector is local to the device; an attacker would need physical or temporary control over the device or access to the user‑controlled Live Caller ID extensions. No remote exploitation vectors are described in the official data.

Generated by OpenCVE AI on April 15, 2026 at 20:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the device to iOS 26.3 or iPadOS 26.3 to apply the vendor fix
  • Ensure Live Caller ID app extensions remain enabled during use
  • If an upgrade is delayed, temporarily disable or uninstall the problematic Live Caller ID extensions to prevent data leakage

Generated by OpenCVE AI on April 15, 2026 at 20:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://support.apple.com/en-us/126346 cve-icon cve-icon
History

Wed, 15 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Title Live Caller ID App Extension Information Leakage on iOS/iPadOS when Extension Disabled

Fri, 13 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Apple ipados
Apple iphone Os
CPEs cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
Vendors & Products Apple ipados
Apple iphone Os

Thu, 12 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Feb 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple ios And Ipados
Vendors & Products Apple
Apple ios And Ipados

Wed, 11 Feb 2026 23:15:00 +0000

Type Values Removed Values Added
Description A logic issue was addressed with improved checks. This issue is fixed in iOS 26.3 and iPadOS 26.3. A user with Live Caller ID app extensions turned off could have identifying information leaked to the extensions.
References

Subscriptions

Apple Ios And Ipados Ipados Iphone Os
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:19:24.699Z

Reserved: 2025-11-11T14:43:07.861Z

Link: CVE-2026-20638

cve-icon Vulnrichment

Updated: 2026-02-12T19:32:57.614Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-11T23:16:06.923

Modified: 2026-02-13T14:48:06.043

Link: CVE-2026-20638

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T21:00:09Z

Weaknesses