CVE-2026-28895

#!/usr/bin/env python3 # PoC for CVE-2026-28895 (Conceptual) # This script demonstrates the logic flow of the bypass. # Note: This requires physical access and the device passcode. def attempt_bypass_protected_app(target_app): print(f"[*] Attempting to access {target_app}...") # 1. Trigger the protected app launch print("[+] App launched. Waiting for authentication prompt...") # 2. Check if Biometrics is required (Vulnerable behavior check) biometrics_required = check_biometrics_state() if not biometrics_required: print("[!] VULNERABLE: Biometrics bypass detected. Passcode entry allowed.") # 3. Enter passcode (simulated) print("[+] Entering device passcode...") access_granted = True else: print("[-] Secure: Biometrics enforced.") access_granted = False return access_granted def check_biometrics_state(): # In a real exploit, this would interact with iOS local authentication APIs # to exploit the race condition or logic error. # For this CVE, the system fails to enforce biometrics for protected apps # when physical access is detected in certain contexts. return False # Simulating the vulnerability if __name__ == "__main__": app = "Photos" # Example of a protected app if attempt_bypass_protected_app(app): print(f"[SUCCESS] Access to {app} granted via passcode only.")

{"cve": {"id": "CVE-2026-28895", "sourceIdentifier": "[email protected]", "published": "2026-03-25T01:17:12.973", "lastModified": "2026-03-26T18:58:05.020", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The issue was addressed with improved checks. This issue is fixed in iOS 26.4 and iPadOS 26.4. An attacker with physical access to an iOS device with Stolen Device Protection enabled may be able to access biometrics-gated Protected Apps with the passcode."}, {"lang": "es", "value": "El problema se abordó con comprobaciones mejoradas. Este problema se corrigió en iOS 26.4 y iPadOS 26.4. Un atacante con acceso físico a un dispositivo iOS con Protección de Dispositivos Robados habilitada podría acceder a Aplicaciones Protegidas con autenticación biométrica usando el código de acceso."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 4.6, "baseSeverity": "MEDIUM", "attackVector": "PHYSICAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 0.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*", "versionEndExcluding": "26.4", "matchCriteriaId": "F813DB63-2B55-4E0B-9073-5465C65F69D6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*", "versionEndExcluding": "26.4", "matchCriteriaId": "01612D13-BE5B-43F8-B53E-5BF57F2A5B0C"}]}]}], "references": [{"url": "https://support.apple.com/en-us/126792", "source": "[email protected]", "tags": ["Vendor Advisory", "Release Notes"]}]}}