CVE-2026-28864 in iOS
Summary
by MITRE • 03/25/2026
This issue was addressed with improved permissions checking. This issue is fixed in iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4, visionOS 26.4, watchOS 26.4. A local attacker may gain access to user's Keychain items.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/29/2026
This vulnerability represents a critical authorization flaw that existed in multiple Apple operating systems including iOS, iPadOS, macOS, visionOS, and watchOS. The issue stemmed from insufficient permissions checking mechanisms that allowed unauthorized access to sensitive user data stored in the Keychain. The Keychain serves as a secure storage system for passwords, certificates, and other cryptographic materials that are essential for maintaining user authentication and system security. When permissions checking is inadequately enforced, it creates a pathway for malicious actors to bypass normal access controls and retrieve protected information.
The technical nature of this vulnerability falls under the category of improper access control as classified by CWE-284, which specifically addresses weaknesses in authorization mechanisms. This flaw enabled a local attacker to exploit the system's permission model and gain access to user credentials and other sensitive information stored within the Keychain. The vulnerability was particularly concerning because it allowed attackers to access data that should have been protected by the system's security model, potentially leading to broader compromise of user accounts and systems. The implementation of improved permissions checking addressed the root cause by strengthening the authorization mechanisms that govern access to Keychain items.
The operational impact of this vulnerability extends beyond simple credential theft, as access to Keychain items can provide attackers with the means to escalate privileges and maintain persistent access to affected systems. Attackers could potentially access stored passwords for various services, cryptographic keys for secure communications, and other sensitive data that would normally require authentication or authorization. This type of vulnerability is particularly dangerous in enterprise environments where users may store corporate credentials, API keys, and other sensitive information in their Keychain. The attack vector was local, meaning that an attacker needed physical access to or prior compromise of the target system, but the implications were significant enough to warrant immediate patching across all affected platforms.
The remediation efforts focused on strengthening the permission checking mechanisms that govern access to Keychain items across all affected Apple operating systems. The patches released in iOS 18.7.7, iPadOS 18.7.7, macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4, visionOS 26.4, and watchOS 26.4 implemented enhanced access controls that properly validate user permissions before allowing access to Keychain data. This fix aligns with the ATT&CK framework's concept of privilege escalation and credential access, where adversaries seek to obtain credentials that provide elevated access to systems and data. Organizations should prioritize deploying these updates across all affected systems to prevent exploitation and maintain the integrity of their security infrastructure. The vulnerability demonstrates the importance of proper access control implementation and the potential consequences of insufficient permission checking in secure system design.