CVE-2026-20638 – This vulnerability allows identifying informati... (How to Fix)

Q: What is the severity of CVE-2026-20638?

CVE-2026-20638 has a CVSS score of 5.5 (MEDIUM). This vulnerability allows identifying information to leak to Live Caller ID app extensions even when those extensions are disabled. It affects iOS and iPadOS users who have disabled Live Caller ID extensions but remain on vulnerable versions.

📋 TL;DR

This vulnerability allows identifying information to leak to Live Caller ID app extensions even when those extensions are disabled. It affects iOS and iPadOS users who have disabled Live Caller ID extensions but remain on vulnerable versions.

💻 Affected Systems

Products:

iOS
iPadOS

Versions: Versions prior to iOS 26.3 and iPadOS 26.3

Operating Systems: iOS, iPadOS

Default Config Vulnerable: ✅ No

Notes: Only affects devices with Live Caller ID app extensions installed but turned off.

📦 What is this software?

Ipados by Apple

View all CVEs affecting Ipados →

Iphone Os by Apple

View all CVEs affecting Iphone Os →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Sensitive caller identification data could be exposed to third-party extensions without user consent, potentially revealing private contact information or call patterns.

🟠

Likely Case

Limited information leakage to extensions that the user has already installed but disabled, with potential privacy implications depending on extension permissions.

🟢

If Mitigated

With extensions disabled and proper patching, no information leakage occurs.

🌐 Internet-Facing: LOW - This is a local device vulnerability requiring app extensions to be present.

🏢 Internal Only: MEDIUM - Affects mobile devices that may contain sensitive contact information.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires malicious or compromised app extensions to be present on device.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: iOS 26.3, iPadOS 26.3

Vendor Advisory: https://support.apple.com/en-us/126346

Restart Required: Yes

Instructions:

1. Go to Settings > General > Software Update. 2. Download and install iOS 26.3 or iPadOS 26.3. 3. Restart device after installation completes.

🔧 Temporary Workarounds

Disable Live Caller ID Extensions

iOS/iPadOS

Remove or disable all Live Caller ID app extensions to prevent potential information leakage.

Settings > Phone > Live Caller ID > Toggle off all extensions

🧯 If You Can't Patch

Remove all third-party Live Caller ID extensions from device
Disable Live Caller ID functionality entirely in Phone settings

🔍 How to Verify

Check if Vulnerable:

Check Settings > General > About > Version. If version is earlier than 26.3, device is vulnerable.

Check Version:

Settings > General > About > Version

Verify Fix Applied:

Confirm device shows iOS 26.3 or iPadOS 26.3 in Settings > General > About > Version.

📡 Detection & Monitoring

Log Indicators:

Unusual extension activity in system logs
Privacy-related access violations

Network Indicators:

None - local vulnerability only

SIEM Query:

Not applicable for local device vulnerability

📊 Metadata

CVE ID: CVE-2026-20638

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CWE: CWE-284

EPSS Score: 0.01% exploit probability (1.9th percentile)

Published: February 11, 2026

Last Updated: February 13, 2026

🔗 References

https://support.apple.com/en-us/126346 Release Notes,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-20638, you might also want to check these: