Security Vulnerability Report
中文
CVE-2026-28963 CVSS 4.6 MEDIUM

CVE-2026-28963

Published: 2026-05-11 21:18:57
Last Modified: 2026-05-13 14:35:47
Source: [email protected]

Description

A privacy issue was addressed by removing the vulnerable code. This issue is fixed in iOS 26.5 and iPadOS 26.5. An attacker with physical access may be able to use Visual Intelligence to access sensitive user data during iPhone Mirroring.

CVSS Details

CVSS Score
4.6
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:* - VULNERABLE
iOS < 26.5
iPadOS < 26.5

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# This is a conceptual PoC for CVE-2026-28963 # It simulates the interaction chain to trigger Visual Intelligence during iPhone Mirroring. # Requires physical access or automation controller connected to the device. import time def trigger_privacy_leak(): print("[*] Initiating attack sequence for CVE-2026-28963") # Step 1: Ensure iPhone Mirroring is active on a paired Mac # Attacker needs physical access to trigger inputs on the iPhone print("[+] Verifying iPhone Mirroring session status...") # Step 2: Trigger Visual Intelligence (e.g., via Camera button or specific gesture) # Exploit the logic flaw where privacy checks are skipped during mirroring state print("[+] Invoking Visual Intelligence overlay...") trigger_visual_intelligence_api() # Step 3: Access sensitive data exposed through the interface # The vulnerability allows reading data that should be obscured sensitive_data = capture_screen_buffer_or_camera_feed() if sensitive_data: print(f"[!] Sensitive data leaked: {sensitive_data}") return True return False def trigger_visual_intelligence_api(): # Placeholder for the specific UI trigger or API call pass def capture_screen_buffer_or_camera_feed(): # Placeholder for data exfiltration return "Exfiltrated_User_Data_Payload" if __name__ == "__main__": trigger_privacy_leak()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-28963", "sourceIdentifier": "[email protected]", "published": "2026-05-11T21:18:57.283", "lastModified": "2026-05-13T14:35:47.297", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A privacy issue was addressed by removing the vulnerable code. This issue is fixed in iOS 26.5 and iPadOS 26.5. An attacker with physical access may be able to use Visual Intelligence to access sensitive user data during iPhone Mirroring."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 4.6, "baseSeverity": "MEDIUM", "attackVector": "PHYSICAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 0.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-359"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*", "versionEndExcluding": "26.5", "matchCriteriaId": "9D9FC2C4-7A7C-4330-A226-255428A5D18E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*", "versionEndExcluding": "26.5", "matchCriteriaId": "0A70A5FD-8891-4C4E-9D35-F217F95027B5"}]}]}], "references": [{"url": "https://support.apple.com/en-us/127110", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.