Description
A privacy issue was addressed by removing sensitive data. This issue is fixed in iOS 26.3 and iPadOS 26.3. An attacker with physical access to a locked device may be able to view sensitive user information.
Published: 2026-02-11
Score: 4.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Update OS
AI Analysis

Impact

This vulnerability stems from a privacy issue that was resolved by removing sensitive data. In versions prior to iOS 26.3 and iPadOS 26.3, an attacker who gains physical access to a device that is still locked can read private user information that should have been protected. The weakness allows disclosure of confidential data, as classified under CWE‑200, without needing to bypass authentication or compromise the operating system.

Affected Systems

The problem affects Apple iOS and iPadOS devices. Anyone using a version older than 26.3 of iOS or iPadOS is susceptible. The known affected CPEs confirm that all models running the operating system prior to the patch are impacted.

Risk and Exploitability

The CVSS base score of 4.6 indicates moderate risk, and the very low EPSS (<1%) suggests that exploitation is unlikely at present. The vulnerability is not listed in the CISA KEV catalog. Attacks require physical possession of the device and require it to be locked; no remote exploit exists. In such a scenario, a local attacker could view the leaked data before unlocking the device.

Generated by OpenCVE AI on April 15, 2026 at 20:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the device to iOS 26.3 or iPadOS 26.3 to apply the fix.
  • Enable a strong screen‑lock or biometric authentication to protect the device at rest.
  • Limit or monitor physical access to the device when it is not in use.

Generated by OpenCVE AI on April 15, 2026 at 20:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://support.apple.com/en-us/126346 cve-icon cve-icon
History

Wed, 15 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Title Physical Access Information Disclosure on Locked iOS/iPadOS Devices

Fri, 13 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Feb 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple ipados
Apple iphone Os
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
Vendors & Products Apple ipados
Apple iphone Os
Metrics cvssV3_1

{'score': 4.6, 'vector': 'CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Thu, 12 Feb 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple ios And Ipados
Vendors & Products Apple
Apple ios And Ipados

Wed, 11 Feb 2026 23:15:00 +0000

Type Values Removed Values Added
Description A privacy issue was addressed by removing sensitive data. This issue is fixed in iOS 26.3 and iPadOS 26.3. An attacker with physical access to a locked device may be able to view sensitive user information.
References

Subscriptions

Apple Ios And Ipados Ipados Iphone Os
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:22:31.140Z

Reserved: 2025-11-11T14:43:07.867Z

Link: CVE-2026-20674

cve-icon Vulnrichment

Updated: 2026-02-13T17:22:19.815Z

cve-icon NVD

Status : Modified

Published: 2026-02-11T23:16:09.757

Modified: 2026-02-13T18:16:19.623

Link: CVE-2026-20674

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T21:00:09Z

Weaknesses