CVE-2026-20645 Overview
CVE-2026-20645 is an information disclosure vulnerability affecting Apple iOS and iPadOS. The flaw stems from an inconsistent user interface state on locked devices. An attacker with physical access to a locked iPhone or iPad can view sensitive user information without authenticating. Apple addressed the issue through improved state management in iOS 18.7.5, iPadOS 18.7.5, iOS 26.3, and iPadOS 26.3. The vulnerability maps to [CWE-1021] Improper Restriction of Rendered UI Layers or Frames. No public proof-of-concept exists, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog.
Critical Impact
An attacker with physical access to a locked iOS or iPadOS device can bypass lock screen protections to view sensitive user information without entering credentials.
Affected Products
- Apple iOS versions prior to 18.7.5
- Apple iPadOS versions prior to 18.7.5
- Apple iOS versions prior to 26.3 and iPadOS versions prior to 26.3
Discovery Timeline
- 2026-02-11 - CVE-2026-20645 published to NVD
- 2026-04-02 - Last updated in NVD database
Technical Details for CVE-2026-20645
Vulnerability Analysis
The vulnerability is a user interface confusion issue rooted in inconsistent UI state on locked Apple mobile devices. The lock screen is designed to enforce a strict boundary between authenticated and unauthenticated states. When state transitions are not handled atomically, UI elements that should remain hidden behind authentication can render while the device is still locked.
Apple classifies this issue under [CWE-1021], which covers improper restriction of rendered UI layers. The result is that sensitive user information surfaces in views accessible from the locked screen. Exploitation does not require network access, user interaction beyond the attacker's input, or elevated privileges. The confidentiality impact is significant, while integrity and availability remain unaffected.
Root Cause
The root cause is a race or logic flaw in how the operating system manages UI state during lock screen transitions. Specific affected views or sequences have not been disclosed by Apple. The fix introduces improved state management to ensure UI layers consistently reflect the device's authentication state.
Attack Vector
An attacker must have physical possession of the target device. The attacker manipulates the locked device through a sequence of supported interactions that triggers the inconsistent UI state. The sensitive information then becomes visible without bypassing the passcode or biometric authentication. Apple has not published technical details of the trigger sequence. Refer to the Apple Security Update 126346 and Apple Security Update 126347 advisories for vendor information.
Detection Methods for CVE-2026-20645
Indicators of Compromise
- No network-based indicators exist because exploitation requires physical access to the device.
- No file system artifacts are documented by Apple for this issue.
- Reports of unauthorized viewing of notifications, messages, or other lock-screen-adjacent data on shared or lost devices may indicate exploitation attempts.
Detection Strategies
- Inventory managed iOS and iPadOS devices through Mobile Device Management (MDM) to identify endpoints running versions prior to 18.7.5 or 26.3.
- Enforce compliance policies that flag and quarantine devices that have not received the fixed OS version.
- Review physical security incident reports, such as lost or stolen devices, for evidence of unauthorized data exposure prior to remote wipe.
Monitoring Recommendations
- Configure MDM to alert when devices fall behind on critical security updates from Apple.
- Track lock screen feature configurations across the fleet to ensure restrictive defaults are applied.
- Correlate device loss events with downstream account activity to detect potential information disclosure follow-on actions.
How to Mitigate CVE-2026-20645
Immediate Actions Required
- Update all iPhone and iPad devices to iOS 18.7.5, iPadOS 18.7.5, iOS 26.3, or iPadOS 26.3 or later.
- Use MDM to push the update and enforce minimum OS version compliance across the fleet.
- Audit physical security controls for devices that handle sensitive data, including device storage, transport, and disposal procedures.
Patch Information
Apple released patches addressing this vulnerability through improved state management. Patch details are available in Apple Security Update 126346 and Apple Security Update 126347. Apply iOS 18.7.5, iPadOS 18.7.5, iOS 26.3, or iPadOS 26.3 to remediate the issue.
Workarounds
- Disable lock screen access to notification previews, widgets, Control Center, and Siri from MDM configuration profiles to reduce the attack surface until patches are applied.
- Enforce shorter auto-lock timeouts and require immediate passcode after lock to limit physical exposure windows.
- Enable Find My iPhone and remote wipe capabilities so lost or stolen devices can be cleared quickly.
# Verify installed iOS/iPadOS version on a managed device via MDM query
# Expected fixed versions: 18.7.5 or 26.3 (or later)
mdm query device --attribute OSVersion --device-id <DEVICE_ID>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

