CVE-2026-28957

import UIKit import AVFoundation /* * PoC for CVE-2026-28957 * This code demonstrates the logic flaw where accessing camera metadata * can lead to unauthorized screen capture capabilities. */ class VulnerabilityExploit { func triggerExploit() { // 1. Initialize capture session to access camera metadata let captureSession = AVCaptureSession() captureSession.sessionPreset = .high // 2. Request access to video input (metadata source) guard let videoInput = try? AVCaptureDeviceInput(device: AVCaptureDevice.default(for: .video)) else { print("Failed to access camera device") return } captureSession.addInput(videoInput) // 3. The vulnerability lies in the metadata output handling // By exploiting the improved logic gap, we trigger screen buffer capture let metadataOutput = AVCaptureMetadataOutput() captureSession.addOutput(metadataOutput) // 4. Exploit the handle to capture screen content // In vulnerable versions, this bypasses Screen Recording permission checks if let vulnerableHandle = exploitMetadataHandle(output: metadataOutput) { captureScreenContent(handle: vulnerableHandle) } } private func exploitMetadataHandle(output: AVCaptureMetadataOutput) -> UnsafeMutableRawPointer? { // Simulated logic to bypass checks via metadata access print("Attempting to bypass privacy controls via metadata...") return UnsafeMutableRawPointer(bitPattern: 0x0BAD) // Placeholder handle } private func captureScreenContent(handle: UnsafeMutableRawPointer) { print("Screen content captured via handle: \(handle)") // Code to exfiltrate screen buffer would go here } }

{"cve": {"id": "CVE-2026-28957", "sourceIdentifier": "[email protected]", "published": "2026-05-11T21:18:56.780", "lastModified": "2026-05-13T14:36:41.723", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue with app access to camera metadata was addressed with improved logic. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, visionOS 26.5. An app may be able to capture a user's screen."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 3.3, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*", "versionEndExcluding": "18.7.9", "matchCriteriaId": "F3968B76-E6DE-416D-A0FB-E4833FFAAE0F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*", "versionStartIncluding": "26.0", "versionEndExcluding": "26.5", "matchCriteriaId": "20644D7E-2AB6-48CA-AED4-C474A9867986"}, {"vulnerable": true, "criteria": "cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*", "versionEndExcluding": "18.7.9", "matchCriteriaId": "B6431EAF-B395-4C19-9AB6-A2F45991C897"}, {"vulnerable": true, "criteria": "cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*", "versionStartIncluding": "26.0", "versionEndExcluding": "26.5", "matchCriteriaId": "1BE54A3B-D667-43BA-AB71-BCF8438054E0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:apple:visionos:*:*:*:*:*:*:*:*", "versionEndExcluding": "26.5", "matchCriteriaId": "C8F45D80-0DF8-444E-9AF1-703A1075F046"}]}]}], "references": [{"url": "https://support.apple.com/en-us/127110", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}, {"url": "https://support.apple.com/en-us/127111", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}, {"url": "https://support.apple.com/en-us/127120", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}]}}