CVE-2026-20640
📋 TL;DR
An attacker with physical access to an iPhone can take and view screenshots of sensitive data during iPhone Mirroring with a Mac. This vulnerability affects iPhone users who use iPhone Mirroring feature with macOS before applying the security update.
💻 Affected Systems
- iPhone
- iPad
📦 What is this software?
Ipados by Apple
⚠️ Risk & Real-World Impact
Worst Case
Attacker captures screenshots containing passwords, financial data, private messages, or other sensitive information displayed during iPhone Mirroring sessions.
Likely Case
Attacker in physical proximity (coffee shop, office, public space) briefly accesses unattended iPhone-Mac mirroring session to capture visible sensitive data.
If Mitigated
Minimal impact if users maintain physical security of devices and disable iPhone Mirroring when not in use.
🎯 Exploit Status
Requires physical access to both iPhone and Mac during active mirroring session. Attacker needs to interact with Mac to trigger screenshot capture.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: iOS 26.3, iPadOS 26.3
Vendor Advisory: https://support.apple.com/en-us/126346
Restart Required: No
Instructions:
1. Open Settings app on iPhone/iPad. 2. Go to General > Software Update. 3. Install iOS 26.3 or iPadOS 26.3 update. 4. Verify update completes successfully.
🔧 Temporary Workarounds
Disable iPhone Mirroring
macOSTurn off iPhone Mirroring feature when not actively using it to prevent unauthorized access.
On Mac: System Settings > General > AirDrop & Handoff > Turn off 'iPhone Mirroring'
Enable Screen Lock
allEnsure both iPhone and Mac have strong screen lock passwords/passcodes enabled.
On iPhone: Settings > Face ID & Passcode > Turn Passcode On
On Mac: System Settings > Lock Screen > Require password immediately
🧯 If You Can't Patch
- Disable iPhone Mirroring feature completely on macOS
- Never leave iPhone-Mac mirroring sessions unattended in public or shared spaces
🔍 How to Verify
Check if Vulnerable:
Check iOS/iPadOS version: Settings > General > About > Version. If version is earlier than 26.3 and iPhone Mirroring is enabled, device is vulnerable.Check Version:
On iPhone/iPad: Settings > General > About > VersionVerify Fix Applied:
Confirm iOS/iPadOS version shows 26.3 or later in Settings > General > About > Version.📡 Detection & Monitoring
Log Indicators:
- Unexpected screenshot captures during iPhone Mirroring sessions in macOS console logs
- Multiple rapid screenshot events in system logs
Network Indicators:
- Unusual Handoff/AirDrop activity patterns between iPhone and Mac
SIEM Query:
source="macOS" event="screenshot" process="ScreenCaptureService" AND device_name="iPhone Mirroring"