CVE-2026-20663 – This vulnerability allows malicious apps to enu... (How to Fix)

Q: What is the severity of CVE-2026-20663?

CVE-2026-20663 has a CVSS score of 3.3 (LOW). This vulnerability allows malicious apps to enumerate a user's installed applications on iOS and iPadOS devices. It affects users running vulnerable versions of iOS and iPadOS who install untrusted applications. The issue was resolved through improved logging sanitization.

📋 TL;DR

This vulnerability allows malicious apps to enumerate a user's installed applications on iOS and iPadOS devices. It affects users running vulnerable versions of iOS and iPadOS who install untrusted applications. The issue was resolved through improved logging sanitization.

💻 Affected Systems

Products:

iOS
iPadOS

Versions: Versions prior to iOS 26.3, iPadOS 26.3, iOS 18.7.5, and iPadOS 18.7.5

Operating Systems: iOS, iPadOS

Default Config Vulnerable: ⚠️ Yes

Notes: All devices running affected iOS/iPadOS versions are vulnerable by default when running untrusted applications.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could profile a user's device, identifying installed security apps, banking apps, or other sensitive applications to target with tailored attacks.

🟠

Likely Case

Malicious apps could gather information about installed applications for advertising profiling or to identify potential attack vectors.

🟢

If Mitigated

With proper app vetting and security controls, the risk is limited to information disclosure about installed applications.

🌐 Internet-Facing: LOW - This requires local app execution, not network exposure.

🏢 Internal Only: MEDIUM - Malicious apps could exploit this to gather intelligence about corporate devices and installed enterprise applications.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires a malicious app to be installed on the target device. No public exploit code is known.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: iOS 26.3, iPadOS 26.3, iOS 18.7.5, iPadOS 18.7.5

Vendor Advisory: https://support.apple.com/en-us/126346

Restart Required: No

Instructions:

1. Open Settings app. 2. Tap General. 3. Tap Software Update. 4. Install available update to iOS 26.3/iPadOS 26.3 or iOS 18.7.5/iPadOS 18.7.5.

🔧 Temporary Workarounds

Restrict App Installation

all

Only install apps from trusted sources and the official App Store

🧯 If You Can't Patch

Implement mobile device management (MDM) to control app installation
Educate users about risks of installing untrusted applications

🔍 How to Verify

Check if Vulnerable:

Check iOS/iPadOS version in Settings > General > About > Version

Check Version:

Not applicable - check via device Settings interface

Verify Fix Applied:

Verify version is iOS 26.3, iPadOS 26.3, iOS 18.7.5, or iPadOS 18.7.5 or later

📡 Detection & Monitoring

Log Indicators:

Unusual app enumeration attempts in system logs
Suspicious app behavior accessing installed app information

Network Indicators:

Not applicable - local vulnerability

SIEM Query:

Not applicable for typical SIEM monitoring of mobile devices

📊 Metadata

CVE ID: CVE-2026-20663

CVSS v3 Score: 3.3 (LOW)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-532

EPSS Score: 0.01% exploit probability (0.8th percentile)

Published: February 11, 2026

Last Updated: February 12, 2026

🔗 References

https://support.apple.com/en-us/126346 Release Notes,Vendor Advisory
https://support.apple.com/en-us/126347 Release Notes,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-20663, you might also want to check these: