CVE-2026-28988

Root

Cause

CVE-2026-28988 is a permissions issue in Apple's operating systems that was addressed with additional restrictions. The vulnerability allows an app to bypass certain Privacy preferences, potentially leaking sensitive user data or granting unauthorized access. The issue exists across multiple platforms including iOS, iPadOS, macOS, visionOS, and watchOS.

Exploitation

An attacker would need to persuade a user to run a malicious app on a vulnerable device. No special privileges are required beyond normal app execution. The vulnerability may be exploited remotely if the user installs a compromised application, untrusted application. The affected devices include iPhone 11 and later, specific iPad models, Macs running macOS Tahoe, Apple Vision Pro, and Apple Watch Series 6 and later [1][2][3][4].

Impact

If successfully exploited, a malicious app could bypass user-configured Privacy preferences, potentially gaining access to private information such as location data, contacts, photos, or microphone and camera feeds without the user's consent. This violates the user's explicit privacy settings and could lead to data leaks.

Mitigation

Apple has released patches for all affected platforms on May 11, 2026. Users are strongly recommended to update to iOS/iPadOS 26.5, macOS Tahoe 26.5, visionOS 26.5, or watchOS 26.5 immediately to block this vulnerability. There are no known workarounds for unpatched systems.