SB2026032514 - Multiple vulnerabilities in Apple iOS 26 and iPadOS 26
Published: March 25, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 38 secuirty vulnerabilities.
1) Universal cross-site scripting (CVE-ID: CVE-2026-28871)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in WebKit. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of an arbitrary website.
2) Improper limitation of a pathname to a restricted directory ('path traversal') (CVE-ID: CVE-2026-20688)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to incorrect handling of path names in Printing. A local application can break out of its sandbox.
3) Information disclosure (CVE-ID: CVE-2026-28864)
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to improper access controls in the Security component when handling local requests. A local user can exploit this to disclose sensitive information.
Exploitation requires local access and no additional privileges beyond those of a standard user.
4) Improper input validation (CVE-ID: CVE-2026-28852)
The vulnerability allows a local application to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient input validation in UIFoundation. A local application can cause a denial-of-service.
5) State Issues (CVE-ID: CVE-2026-20665)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to a state management issue in WebKit. A remote attacker can trick the victim into visiting a specially crafted website and prevent Content Security Policy from being enforced.
6) Protection mechanism failure (CVE-ID: CVE-2026-20643)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to insufficient implementation of security measures within the Navigation API in WebKit. A remote attacker can trick the victim into visiting a specially crafted website and bypass Same Origin Policy.
7) Memory corruption (CVE-ID: CVE-2026-20664)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in WebKit. A remote attacker can trick the victim into opening a specially crafted file and perform an unexpected process crash.
8) Improper access control (CVE-ID: CVE-2026-28882)
The vulnerability allows a local user to escalate privileges and execute arbitrary code.
The vulnerability exists due to improper access control in libxpc when handling local application requests. A local user can exploit this to escalate privileges and execute arbitrary code.
Exploitation requires local access and the ability to execute a local application.
9) Memory corruption (CVE-ID: CVE-2026-28857)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in WebKit. A remote attacker can trick the victim into opening a specially crafted file and perform an unexpected process crash.
10) State Issues (CVE-ID: CVE-2026-28861)
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper handling of web content in WebKit when processing malicious web pages. A remote attacker can entice the victim to visit a specially crafted website and access script message handlers intended for other origins.
11) Memory corruption (CVE-ID: CVE-2026-28859)
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to improper input validation in WebKit when processing web content. A remote attacker can trick the victim into visiting a specially crafted website and force the browser into processing restricted web content outside the sandbox.
12) Information disclosure (CVE-ID: CVE-2026-20691)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the WebKit Sandboxing component. A remote attacker can gain fingerprint the user.
13) Improper input validation (CVE-ID: CVE-2026-20692)
The vulnerability allows a local user to inject arbitrary content.
The vulnerability exists due to improper input validation in Mail when processing email content. A local user can submit specially crafted input to inject arbitrary content.
14) Use after free (CVE-ID: CVE-2026-20687)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to a use-after-free error in Kernel. A local application can cause unexpected system termination or write kernel memory.
15) Man-in-the-Middle (MitM) attack (CVE-ID: CVE-2026-28865)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to an error in the 802.1X protocol implementation when handling authentication requests. A remote attacker on the local network can intercept sensitive information.
16) Memory corruption (CVE-ID: CVE-2026-20690)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in CoreMedia. A remote attacker can trick the victim into opening a specially crafted file and perform a denial of service (DoS) attack.
17) Improper authorization (CVE-ID: CVE-2026-28877)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to improper authorization checks in the Accounts component. A local application can gain access to sensitive user information.
18) Use after free (CVE-ID: CVE-2026-28879)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a use-after-free error in Audio. A remote attacker can trick the victim into opening a specially crafted file and perform an unexpected process crash.
19) Buffer overflow (CVE-ID: CVE-2026-28822)
The vulnerability allows a remote attacker to perform a denial of service attack.
The vulnerability exists due to a boundary error in the Audio subsystem. A remote attacker can trick the victim into opening a specially crafted media file, trigger memory corruption and perform a denial of service attack.
20) Improper input validation (CVE-ID: CVE-2026-28894)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient input validation in Calling Framework. A remote attacker can trick the victim into opening a specially crafted file and cause a denial-of-service.
21) Improper link resolution before file access ('link following') (CVE-ID: CVE-2026-28866)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to insecure symbolic link following in Clipboard. A local application can access sensitive user data.
22) Improper input validation (CVE-ID: CVE-2026-28886)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient input validation in CoreUtils. A local user can cause a denial-of-service.
23) Memory corruption (CVE-ID: CVE-2026-20698)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to a boundary error in Kernel. A local application can cause unexpected system termination or corrupt kernel memory.
24) Improper input validation (CVE-ID: CVE-2026-28878)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in Crash Reporter when handling crash reports. A local user can provide specially crafted input to cause a denial of service.
Exploitation does not require elevated privileges.
25) Insufficiently protected credentials (CVE-ID: CVE-2025-14524)
The vulnerability allows an attacker to obtain bearer token,
The vulnerability exists due to an error when handling cross-protocol redirects. When an oauth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host.
26) Improper limitation of a pathname to a restricted directory ('path traversal') (CVE-ID: CVE-2026-28876)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to incorrect handling of path names in DeviceLink. A local application can trick the victim into opening a specially crafted file and access sensitive user data.
27) Information disclosure (CVE-ID: CVE-2026-28870)
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to improper access controls in GeoServices when handling local application requests. A local user can exploit this to disclose sensitive information.
Access to the local system is required to exploit this vulnerability.
28) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2026-28880)
The vulnerability allows a local application to enumerate installed apps.
The vulnerability exists due to improperly imposed security restrictions in iCloud. A local application can enumerate user's installed apps.
29) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2026-28833)
The vulnerability allows a local application to enumerate installed apps.
The vulnerability exists due to improperly imposed security restrictions in iCloud. A local application can enumerate user's installed apps.
30) Out-of-bounds read (CVE-ID: CVE-2025-64505)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition within the png_do_quantize function when processing PNG files with malformed palette indices. A remote attacker can pass a specially crafted image file to the application, trigger an out-of-bounds read error and read contents of memory on the system.
31) Information exposure through log files (CVE-ID: CVE-2026-28868)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to inclusion of sensitive information into a log file in Kernel. A local application can disclose kernel memory.
32) Improper access control (CVE-ID: CVE-2026-28867)
The vulnerability allows a local user to execute arbitrary code in kernel space.
The vulnerability exists due to improper access control in the kernel when handling local application requests. A local user can exploit this to execute arbitrary code in kernel space.
Successful exploitation may allow the attacker to gain full control over the system.
33) Protection mechanism failure (CVE-ID: CVE-2026-28895)
The vulnerability allows an attacker to gain access to sensitive information.
The vulnerability exists due to insufficient implementation of security measures in App Protection. An attacker with physical access to device with Stolen Device Protection enabled can access biometrics-gated Protected Apps with the passcode.
34) Input validation error (CVE-ID: CVE-2026-28874)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input in Baseband. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
35) Buffer overflow (CVE-ID: CVE-2026-28875)
The vulnerability allows a remote attacker to perform a denial of service attack.
The vulnerability exists due to a boundary error in Baseband. A remote attacker can send specially crafted data to the system, trigger memory corruption and perform a denial of service attack.
36) Information disclosure (CVE-ID: CVE-2026-28863)
The vulnerability allows a local application to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output in Sandbox Profiles. A local application can fingerprint the user.
37) Improper authentication (CVE-ID: CVE-2026-28856)
The vulnerability allows an attacker to bypass authentication checks.
The vulnerability exists due to improper authentication mechanism in Siri. An attacker with physical access to device can view sensitive user information.
38) Buffer overflow (CVE-ID: CVE-2026-28858)
The vulnerability allows a remote attacker to perform a denial of service attack.
The vulnerability exists due to a boundary error in Telephony. A remote attacker can send specially crafted data to the service, trigger memory corruption and perform a denial of service attack.
Remediation
Install update from vendor's website.