CVE-2026-20661
📋 TL;DR
An authorization vulnerability in iOS and iPadOS allows attackers with physical access to a locked device to view sensitive user information. This affects users running vulnerable versions of iOS/iPadOS who leave their devices unattended while locked. The issue was addressed through improved state management in Apple's security updates.
💻 Affected Systems
- iPhone
- iPad
📦 What is this software?
Ipados by Apple
Ipados by Apple
⚠️ Risk & Real-World Impact
Worst Case
Attacker gains access to sensitive personal data, financial information, private messages, or authentication credentials stored on the device.
Likely Case
Unauthorized viewing of recent notifications, photos, or app data accessible from lock screen without full device unlock.
If Mitigated
No data exposure if device is kept in secure location and proper physical security controls are enforced.
🎯 Exploit Status
Requires physical device access and specific timing/conditions during lock screen state transitions. No authentication bypass to full device access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: iOS 26.3, iPadOS 26.3, iOS 18.7.5, iPadOS 18.7.5
Vendor Advisory: https://support.apple.com/en-us/126346
Restart Required: Yes
Instructions:
1. Open Settings app. 2. Tap General > Software Update. 3. Download and install available update. 4. Device will restart automatically.
🔧 Temporary Workarounds
Enable Stronger Lock Screen Restrictions
iOS/iPadOSConfigure device to hide sensitive information from lock screen and require immediate passcode
Settings > Face ID & Passcode > Turn off 'Today View and Search', 'Notification Center', 'Control Center' when locked
Reduce Auto-Lock Time
iOS/iPadOSSet shorter auto-lock timeout to minimize window of opportunity
Settings > Display & Brightness > Auto-Lock > Set to 30 seconds or 1 minute
🧯 If You Can't Patch
- Never leave devices unattended in public or unsecured areas
- Enable Find My iPhone remote wipe capability and configure strong passcodes
🔍 How to Verify
Check if Vulnerable:
Check Settings > General > About > Version. If version is earlier than 26.3 or 18.7.5, device is vulnerable.Check Version:
Settings > General > About > VersionVerify Fix Applied:
After update, verify Settings > General > About > Version shows 26.3 or 18.7.5 or later.📡 Detection & Monitoring
Log Indicators:
- Unusual lock/unlock patterns in device logs
- Multiple failed authentication attempts followed by successful screen access
Network Indicators:
- None - this is a local physical access vulnerability
SIEM Query:
Device logs showing lock screen state changes without corresponding successful authentication