An Apple iOS, iPadOS, and visionOS security flaw allows a malicious or compromised application to capture the contents of a user’s screen by improperly handling camera metadata. It is inferred from the description that the vulnerability does not provide arbitrary code execution, but it does permit the extraction of sensitive visual information—potentially revealing passwords, personal data, or private communications—thereby compromising user privacy and confidentiality.

Apple iOS, iPadOS, and visionOS devices running versions prior to the fixed releases—iOS 18.7.9, iOS 26.5, iPadOS 18.7.9, iPadOS 26.5, or visionOS 26.5—are affected. Any device not yet updated to at least these firmware releases remains vulnerable to unauthorized screen capture through app camera access.

The vulnerability can be exploited by any application that has been granted camera permissions on the device. The likely attack vector is local app execution, inferred from the fact that the flaw requires an app to access camera metadata. The CVSS score of 3.3 indicates low severity, while the EPSS score of <1% and the fact that the vulnerability is not listed in CISA’s KEV catalog suggest a lower likelihood of widespread exploitation at this time. Nevertheless, because it enables the capture of screen contents, it poses a significant privacy and data exposure risk, especially if an attacker can entice a user to grant camera access or employ a targeted social engineering campaign.