CVE-2026-28957 Overview
CVE-2026-28957 is a low-severity access control weakness in Apple iOS, iPadOS, and visionOS. The flaw allows a locally installed app to capture a user's screen by abusing access to camera metadata. Apple addressed the issue with improved logic in iOS 18.7.9, iPadOS 18.7.9, iOS 26.5, iPadOS 26.5, and visionOS 26.5. The vulnerability is classified under [CWE-284] Improper Access Control.
Critical Impact
A malicious app on an unpatched Apple device may capture screen contents through camera metadata, exposing data shown on screen without the user's awareness.
Affected Products
- Apple iOS (prior to 18.7.9 and 26.5)
- Apple iPadOS (prior to 18.7.9 and 26.5)
- Apple visionOS (prior to 26.5)
Discovery Timeline
- 2026-05-11 - CVE-2026-28957 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-28957
Vulnerability Analysis
The issue resides in how iOS, iPadOS, and visionOS mediate application access to camera metadata. Insufficient validation in this code path allows an app to derive or capture content that should be restricted, including imagery rendered on the user's screen. Apple's advisory describes the fix as introducing improved logic to gate this metadata access. The vulnerability requires the attacker to have a locally executing app on the device and limited privileges, with no user interaction.
Root Cause
The root cause is an improper access control flaw [CWE-284] in the camera metadata interface. The operating system did not adequately enforce restrictions on what an application could observe through camera-related APIs. As a result, an app with standard entitlements could obtain information beyond its intended permission scope. Apple did not publish source-level details, but the fix is described as improved logic to enforce correct boundaries.
Attack Vector
Exploitation requires a malicious or compromised application installed locally on the device. The app does not need additional user interaction once running. By querying camera metadata pathways, the app can capture content displayed on the user's screen. Confidentiality impact is limited; the issue does not affect integrity or availability. No public proof-of-concept code, exploit module, or in-the-wild exploitation has been reported, and the CVE is not listed in the CISA Known Exploited Vulnerabilities catalog.
No verified exploit code is publicly available. Refer to the Apple Support Article #127110 for the vendor description.
Detection Methods for CVE-2026-28957
Indicators of Compromise
- No public indicators of compromise have been published for CVE-2026-28957.
- Unexpected screen captures or screenshots appearing in application storage on unpatched devices may warrant review.
Detection Strategies
- Inventory Apple iOS, iPadOS, and visionOS devices to identify builds older than iOS/iPadOS 18.7.9, iOS/iPadOS 26.5, or visionOS 26.5.
- Review installed third-party applications for unexpected requests to camera entitlements or background camera activity.
- Use Mobile Device Management (MDM) compliance policies to flag devices running vulnerable OS versions.
Monitoring Recommendations
- Monitor MDM telemetry for OS version drift and enforce minimum supported builds.
- Audit App Store and enterprise-deployed app inventories for apps requesting camera or screen recording permissions without business justification.
- Track Apple security advisories 127110, 127111, and 127120 for related camera or privacy fixes.
How to Mitigate CVE-2026-28957
Immediate Actions Required
- Update iPhone and iPad devices to iOS 18.7.9, iPadOS 18.7.9, iOS 26.5, or iPadOS 26.5.
- Update Apple Vision Pro devices to visionOS 26.5.
- Restrict installation of non-vetted third-party applications on managed devices via MDM.
- Revoke camera permissions for applications that do not require them.
Patch Information
Apple released fixes in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, and visionOS 26.5. Patch details are documented in Apple Support Article #127110, Apple Support Article #127111, and Apple Support Article #127120. Administrators should enforce the patched builds through MDM update policies.
Workarounds
- No vendor-supplied workaround is available; apply the patched OS versions.
- Limit camera permission grants to applications with verified business need.
- Use MDM configuration profiles to disable installation of untrusted apps until devices are updated.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
