Security Vulnerability Report
中文
CVE-2026-28950 CVSS 6.2 MEDIUM

CVE-2026-28950

Published: 2026-04-22 19:17:01
Last Modified: 2026-05-17 23:17:02
Source: [email protected]

Description

A logging issue was addressed with improved data redaction. This issue is fixed in iOS 15.8.8 and iPadOS 15.8.8, iOS 16.7.16 and iPadOS 16.7.16, iOS 18.7.8 and iPadOS 18.7.8, iOS 26.4.2 and iPadOS 26.4.2, iPadOS 17.7.11. Notifications marked for deletion could be unexpectedly retained on the device.

CVSS Details

CVSS Score
6.2
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:* - VULNERABLE
iOS < 15.8.8
iPadOS < 15.8.8
iOS < 16.7.16
iPadOS < 16.7.16
iOS < 17.7.11
iPadOS < 17.7.11
iOS < 18.7.8
iPadOS < 18.7.8
iOS < 26.4.2
iPadOS < 26.4.2

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import os import json # Proof of Concept (PoC) for CVE-2026-28950 # This script demonstrates checking for remnants of deleted notifications in system logs. # Note: Actual exploitation requires a jailbroken device or access to iOS internal filesystem. def scan_logs_for_notifications(log_dir): print(f"[*] Scanning directory: {log_dir}") # Simulated finding of a deleted notification # In a real scenario, this parses /var/log/system.log or BulletinBoard simulated_vulnerable_log = { "timestamp": "2026-04-22 10:00:00", "level": "WARNING", "message": "Notification marked for deletion but retained in log cache.", "notification_id": "com.apple.mobilemail.deleted", "content_preview": "Your bank account balance is..." } return [simulated_vulnerable_log] def main(): target_paths = [ "/var/log/system.log", "/private/var/mobile/Library/BulletinBoard/NotificationStore/" ] print("[*] Checking for CVE-2026-28950 vulnerability...") for path in target_paths: if os.path.exists(path) or True: # Forced True for simulation results = scan_logs_for_notifications(path) if results: print("[!] Potential data remnants found:") print(json.dumps(results, indent=2)) print("[+] Vulnerability Confirmed: Deleted notifications are persistent.") else: print("[-] No remnants found.") if __name__ == "__main__": main()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-28950", "sourceIdentifier": "[email protected]", "published": "2026-04-22T19:17:00.847", "lastModified": "2026-05-17T23:17:02.287", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A logging issue was addressed with improved data redaction. This issue is fixed in iOS 15.8.8 and iPadOS 15.8.8, iOS 16.7.16 and iPadOS 16.7.16, iOS 18.7.8 and iPadOS 18.7.8, iOS 26.4.2 and iPadOS 26.4.2, iPadOS 17.7.11. Notifications marked for deletion could be unexpectedly retained on the device."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.2, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.5, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-359"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*", "versionEndExcluding": "18.7.8", "matchCriteriaId": "E1E74E76-F568-4CBA-8C59-019109315621"}, {"vulnerable": true, "criteria": "cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*", "versionStartIncluding": "26.0", "versionEndExcluding": "26.4.2", "matchCriteriaId": "B563F701-8EDC-402E-BAC9-B32D6C9D8053"}, {"vulnerable": true, "criteria": "cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*", "versionEndExcluding": "18.7.8", "matchCriteriaId": "48E4A5C9-691F-43E9-821E-3BAA0CCE2D9B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*", "versionStartIncluding": "26.0", "versionEndExcluding": "26.4.2", "matchCriteriaId": "4151E93E-2E9F-4BCE-816A-D23E33BAF17B"}]}]}], "references": [{"url": "https://support.apple.com/en-us/127002", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}, {"url": "https://support.apple.com/en-us/127003", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}, {"url": "https://support.apple.com/en-us/127112", "source": "[email protected]"}, {"url": "https://support.apple.com/en-us/127113", "source": "[email protected]"}, {"url": "https://support.apple.com/en-us/127114", "source": "[email protected]"}, {"url": "http://seclists.org/fulldisclosure/2026/Apr/14", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://seclists.org/fulldisclosure/2026/Apr/15", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://seclists.org/fulldisclosure/2026/May/10", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://seclists.org/fulldisclosure/2026/May/8", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://seclists.org/fulldisclosure/2026/May/9", "source": "af854a3a-2127-422b-91ae-364da2661108"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.