SB2026032509 - Multiple vulnerabilities in Apple iOS 18 and iPadOS 18
Published: March 25, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 24 secuirty vulnerabilities.
1) Use after free (CVE-ID: CVE-2026-20687)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to a use-after-free error in Kernel. A local application can cause unexpected system termination or write kernel memory.
2) Universal cross-site scripting (CVE-ID: CVE-2026-28871)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in WebKit. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of an arbitrary website.
3) State Issues (CVE-ID: CVE-2026-28861)
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper handling of web content in WebKit when processing malicious web pages. A remote attacker can entice the victim to visit a specially crafted website and access script message handlers intended for other origins.
4) Information disclosure (CVE-ID: CVE-2025-43376)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a logic issue in WebKit. A remote attacker can view leaked DNS queries with Private Relay turned on.
5) Protection mechanism failure (CVE-ID: CVE-2026-20643)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to insufficient implementation of security measures within the Navigation API in WebKit. A remote attacker can trick the victim into visiting a specially crafted website and bypass Same Origin Policy.
6) State Issues (CVE-ID: CVE-2026-20665)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to a state management issue in WebKit. A remote attacker can trick the victim into visiting a specially crafted website and prevent Content Security Policy from being enforced.
7) Memory corruption (CVE-ID: CVE-2026-20657)
The vulnerability allows a local application to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in Vision. A local application can trick the victim into opening a specially crafted file and perform an unexpected app termination.
8) Improper input validation (CVE-ID: CVE-2026-28852)
The vulnerability allows a local application to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient input validation in UIFoundation. A local application can cause a denial-of-service.
9) Information disclosure (CVE-ID: CVE-2026-28864)
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to improper access controls in the Security component when handling local requests. A local user can exploit this to disclose sensitive information.
Exploitation requires local access and no additional privileges beyond those of a standard user.
10) Improper access control (CVE-ID: CVE-2026-28867)
The vulnerability allows a local user to execute arbitrary code in kernel space.
The vulnerability exists due to improper access control in the kernel when handling local application requests. A local user can exploit this to execute arbitrary code in kernel space.
Successful exploitation may allow the attacker to gain full control over the system.
11) Man-in-the-Middle (MitM) attack (CVE-ID: CVE-2026-28865)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to an error in the 802.1X protocol implementation when handling authentication requests. A remote attacker on the local network can intercept sensitive information.
12) Information exposure through log files (CVE-ID: CVE-2026-28868)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to inclusion of sensitive information into a log file in Kernel. A local application can disclose kernel memory.
13) Protection mechanism failure (CVE-ID: CVE-2025-43534)
The vulnerability allows an attacker to bypass Activation Lock.
The vulnerability exists due to insufficient implementation of security measures in iTunes Store. An attacker with physical access to device can bypass Activation Lock.
14) Out-of-bounds read (CVE-ID: CVE-2025-64505)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition within the png_do_quantize function when processing PNG files with malformed palette indices. A remote attacker can pass a specially crafted image file to the application, trigger an out-of-bounds read error and read contents of memory on the system.
15) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2026-28880)
The vulnerability allows a local application to enumerate installed apps.
The vulnerability exists due to improperly imposed security restrictions in iCloud. A local application can enumerate user's installed apps.
16) Information exposure through log files (CVE-ID: CVE-2026-20668)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to inclusion of sensitive information into a log file in Focus. A local application can access sensitive user data.
17) Improper limitation of a pathname to a restricted directory ('path traversal') (CVE-ID: CVE-2026-28876)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to incorrect handling of path names in DeviceLink. A local application can trick the victim into opening a specially crafted file and access sensitive user data.
18) Insufficiently protected credentials (CVE-ID: CVE-2025-14524)
The vulnerability allows an attacker to obtain bearer token,
The vulnerability exists due to an error when handling cross-protocol redirects. When an oauth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host.
19) Improper input validation (CVE-ID: CVE-2026-28878)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in Crash Reporter when handling crash reports. A local user can provide specially crafted input to cause a denial of service.
Exploitation does not require elevated privileges.
20) Improper input validation (CVE-ID: CVE-2026-28886)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient input validation in CoreUtils. A local user can cause a denial-of-service.
21) Memory corruption (CVE-ID: CVE-2026-20690)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in CoreMedia. A remote attacker can trick the victim into opening a specially crafted file and perform a denial of service (DoS) attack.
22) Improper link resolution before file access ('link following') (CVE-ID: CVE-2026-28866)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to insecure symbolic link following in Clipboard. A local application can access sensitive user data.
23) Use after free (CVE-ID: CVE-2026-28879)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a use-after-free error in Audio. A remote attacker can trick the victim into opening a specially crafted file and perform an unexpected process crash.
24) Use after free (CVE-ID: CVE-2026-20637)
The vulnerability allows a local application to perform a denial of service (DoS) attack.
The vulnerability exists due to a use-after-free error in AppleKeyStore. A local application can cause unexpected system termination.
Remediation
Install update from vendor's website.