CVE-2026-20655 – An authorization vulnerability in iOS and iPadO... (How to Fix)

Q: What is the severity of CVE-2026-20655?

CVE-2026-20655 has a CVSS score of 5.5 (MEDIUM). An authorization vulnerability in iOS and iPadOS allows attackers with physical access to a locked device to view sensitive user information. This affects users running vulnerable versions of iOS/iPadOS who leave their devices unattended while locked. The issue was addressed through improved state management in Apple's security updates.

📋 TL;DR

An authorization vulnerability in iOS and iPadOS allows attackers with physical access to a locked device to view sensitive user information. This affects users running vulnerable versions of iOS/iPadOS who leave their devices unattended while locked. The issue was addressed through improved state management in Apple's security updates.

💻 Affected Systems

Products:

iPhone
iPad

Versions: iOS/iPadOS versions prior to 26.3 and 18.7.5

Operating Systems: iOS, iPadOS

Default Config Vulnerable: ⚠️ Yes

Notes: All standard configurations of affected iOS/iPadOS versions are vulnerable. Requires physical access to locked device.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker gains access to sensitive personal data, financial information, private messages, or authentication tokens stored on the device while it's locked.

🟠

Likely Case

Unauthorized viewing of notifications, recent photos, or limited app data when device is locked but screen is active.

🟢

If Mitigated

No access to sensitive data when proper physical security controls and updated software are in place.

🌐 Internet-Facing: LOW - Requires physical device access, not remotely exploitable.

🏢 Internal Only: MEDIUM - Physical access threats exist in shared workspaces, lost/stolen devices, or social engineering scenarios.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires physical device access and specific timing/conditions while device is locked. No authentication bypass for full device access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: iOS 26.3, iPadOS 26.3, iOS 18.7.5, iPadOS 18.7.5

Vendor Advisory: https://support.apple.com/en-us/126346

Restart Required: Yes

Instructions:

1. Open Settings app. 2. Tap General. 3. Tap Software Update. 4. Download and install available update. 5. Device will restart automatically.

🔧 Temporary Workarounds

Enable Auto-Lock with Short Timer

all

Reduces window of opportunity by automatically locking device after short inactivity period.

Disable Lock Screen Notifications

all

Prevents sensitive information from appearing on lock screen.

🧯 If You Can't Patch

Implement strict physical security controls for devices
Enable Find My iPhone remote wipe capability for lost/stolen devices

🔍 How to Verify

Check if Vulnerable:

Check Settings > General > About > Version. If version is earlier than 26.3 or 18.7.5, device is vulnerable.

Check Version:

Not applicable - check via device Settings UI

Verify Fix Applied:

Confirm version shows iOS 26.3/iPadOS 26.3 or iOS 18.7.5/iPadOS 18.7.5 in Settings > General > About > Version.

📡 Detection & Monitoring

Log Indicators:

Unusual lock/unlock patterns
Failed authentication attempts while device locked

Network Indicators:

None - local physical access vulnerability

SIEM Query:

Not applicable - physical access vulnerability with no network indicators

📊 Metadata

CVE ID: CVE-2026-20655

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-287

EPSS Score: 0.01% exploit probability (1.5th percentile)

Published: February 11, 2026

Last Updated: February 18, 2026

🔗 References

https://support.apple.com/en-us/126346 Release Notes,Vendor Advisory
https://support.apple.com/en-us/126347 Release Notes,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-20655, you might also want to check these: