CVE-2025-46288

Vulnerability

Overview

CVE-2025-46288 is a permissions issue in Apple's operating systems that could allow an app to access sensitive payment tokens. The root cause is insufficient restrictions on app permissions, enabling unauthorized access to sensitive data related to payments. Apple addressed this by implementing additional restrictions to enforce proper permission boundaries [1][2].

Attack

Vector and Attack Vector and Exploitation

Exploiting this vulnerability requires a malicious or vulnerable app to be installed on the affected device. The attacker does not need any special network access or physical proximity; the attack is local in nature, relying on the app's ability to bypass existing permission checks. No user interaction beyond installing the app is required, and the vulnerability can be exploited without authentication beyond what the app already possesses [3][4].

Impact

If exploited, an attacker could gain access to sensitive payment tokens used for payment transactions, potentially leading to unauthorized payment processing or exposure of financial information. Apple rates the impact as medium severity (CVSS v3.1 base score 5.5), indicating that while the attack is local and requires an app installation, the confidentiality impact is significant [1][3].

Mitigation

Apple has released patches for this issue in iOS 26.2, iPadOS 26.2, macOS Tahoe 26.2, visionOS 26.2, and watchOS 26.2, all released on December 12, 2025 [1][2][3][4]. Users should update their devices to the latest software versions to mitigate the risk. There are no workarounds available, as the fix requires the operating system update.