CVE-2026-28964

Vulnerability

Overview

CVE-2026-28964 is an inconsistent user interface issue in Apple's iOS, iPadOS, and visionOS. The root cause is a state management flaw that could allow an app to access sensitive user data. The vulnerability was addressed with improved state management in the respective operating system updates.

Exploitation

An attacker would need to have an app installed on the device to exploit this vulnerability. The attack vector is local, as the app must be running on the user's device. No user interaction beyond installing the malicious app is required. The vulnerability affects a wide range of devices, including iPhone 11 and later, various iPad models, and Apple Vision Pro [1][2].

Impact

If exploited, an app could gain unauthorized access to sensitive user data. The exact type of data is not specified, but it could include personal information, credentials, or other private data stored on the device. This could lead to privacy breaches or further compromise of the user's digital identity.

Mitigation

Apple has released patches in iOS 26.5, iPadOS 26.5, and visionOS 26.5 on May 11, 2026. Users are strongly advised to update their devices to the latest available versions to protect against this vulnerability. No workarounds have been provided by Apple [1][2].