CVE-2026-20655 - Vulnerability Details

Description

An authorization issue was addressed with improved state management. This issue is fixed in iOS 18.7.5 and iPadOS 18.7.5, iOS 26.3 and iPadOS 26.3. An attacker with physical access to a locked device may be able to view sensitive user information.

Published: 2026-02-11

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is an authorization issue that allows an attacker with physical access to a locked Apple device to view sensitive user information. The flaw results from improper state management and represents a breach of confidentiality, consistent with CWE‑287. This means an adversary can read personal data on the device without authenticating normally.

Affected Systems

All iPhones and iPads running iOS and iPadOS prior to the fixes in iOS 18.7.5, iPadOS 18.7.5, iOS 26.3, and iPadOS 26.3 are subject to this flaw. Newer releases after these patches incorporate the corrected state management and are not affected.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity, while an EPSS score of less than 1% reflects a very low probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog, and no public exploits are known. The likely attack vector requires physical possession of a locked device, limiting the feasibility of remote attacks but making the confidentiality impact significant for physically compromised devices.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Apple

iOS and iPadOS

affected

Version	Status	Constraints
`0`	affected	< 18.7.5
`0`	affected	< 26.3

Configuration 1 [-]

OR	cpe:2.3:o:apple:ipados::::::::
	cpe:2.3:o:apple:ipados::::::::
	cpe:2.3:o:apple:iphone_os::::::::
	cpe:2.3:o:apple:iphone_os::::::::

No data.

Vendor Product Confidence Versions

Apple

Ios And Ipados

—

Version	Status	Scheme	Platform
`[0,26.3)`	affected	generic	—

Apple

Ios And Ipados

—

Version	Status	Scheme	Platform
`[0,18.7)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Install the latest iOS or iPadOS update, at least iOS 18.7.5 or 26.3 and iPadOS 18.7.5 or 26.3, which address the state‑management flaw.
Ensure that devices remain locked when unattended and use a strong passcode or biometric lock to reduce the risk of unauthorized physical access.
Enable Find My iPhone and remote lock features so that a compromised device can be pushed to a secure state if physical access is suspected.

Generated by OpenCVE AI on April 15, 2026 at 20:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00013.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://support.apple.com/en-us/126346
https://support.apple.com/en-us/126347

History

Thu, 02 Apr 2026 20:30:00 +0000

Type	Values Removed	Values Added
Description	An authorization issue was addressed with improved state management. This issue is fixed in iOS 26.3 and iPadOS 26.3, iOS 18.7.5 and iPadOS 18.7.5. An attacker with physical access to a locked device may be able to view sensitive user information.	An authorization issue was addressed with improved state management. This issue is fixed in iOS 18.7.5 and iPadOS 18.7.5, iOS 26.3 and iPadOS 26.3. An attacker with physical access to a locked device may be able to view sensitive user information.

Wed, 18 Feb 2026 15:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-287
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 13 Feb 2026 15:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apple ipados Apple iphone Os
Weaknesses		NVD-CWE-noinfo
CPEs		cpe:2.3:o:apple:ipados:::::::: cpe:2.3:o:apple:iphone_os::::::::
Vendors & Products		Apple ipados Apple iphone Os
Metrics		cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}`

Thu, 12 Feb 2026 09:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apple Apple ios And Ipados
Vendors & Products		Apple Apple ios And Ipados

Wed, 11 Feb 2026 23:15:00 +0000

Type	Values Removed	Values Added
Description		An authorization issue was addressed with improved state management. This issue is fixed in iOS 26.3 and iPadOS 26.3, iOS 18.7.5 and iPadOS 18.7.5. An attacker with physical access to a locked device may be able to view sensitive user information.
References		https://support.apple.com/en-us/126346 https://support.apple.com/en-us/126347

Subscriptions

Apple Ios And Ipados Ipados Iphone Os

MITRE

Status: PUBLISHED

Assigner: apple

Published: 2026-02-11T22:58:37.366Z

Updated: 2026-04-02T18:19:52.022Z

Reserved: 2025-11-11T14:43:07.864Z

Link: CVE-2026-20655

Vulnrichment

Updated: 2026-02-18T14:56:37.384Z

NVD

Status : Modified

Published: 2026-02-11T23:16:08.330

Modified: 2026-04-02T19:21:18.403

Link: CVE-2026-20655

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-15T21:00:09Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object