CVE-2024-40851

Vulnerability

CVE-2024-40851 affects iOS and iPadOS versions prior to 18.1 (iPhone XS and later) and iPadOS 18.1 (relevant iPad models). The bug allows contact photos stored on the device to be viewed from the lock screen without authentication. Apple addressed the issue by restricting options offered on a locked device and improving authentication.

Exploitation

The attacker requires physical access to a locked device running an unpatched iOS/iPadOS version. By interacting with the lock screen interface, the attacker can navigate to or trigger a view that exposes contact photos. No further authentication is needed beyond the initial physical access. The attack is straightforward and requires no special tools or skills beyond basic interaction with the lock screen.

Impact

Successful exploitation grants the attacker unauthorized access to contact photos, which may include personally identifiable information (PII) such as faces, names, and contexts of contacts. The CIA impact is primarily a confidentiality breach of sensitive visual data. The attacker does not gain persistent access or privilege escalation beyond this information disclosure.

Mitigation

The vulnerability is fixed in iOS 18.1 and iPadOS 18.1, released October 28, 2024 [1]. Users should update their devices via Settings > General > Software Update. Apple does not provide workarounds for older versions; installation of the update is the only complete mitigation. No evidence indicates this CVE is in CISA's Known Exploited Vulnerabilities catalog as of publication.