CVE-2026-28878 in iOS
Summary
by MITRE • 03/25/2026
A privacy issue was addressed by removing sensitive data. This issue is fixed in iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Sonoma 14.8.5, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, watchOS 26.4. An app may be able to enumerate a user's installed apps.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/29/2026
This vulnerability represents a significant privacy flaw that allows malicious applications to discover and enumerate the complete list of applications installed on a user's device. The issue stems from insufficient access controls and data protection mechanisms within the operating system's application enumeration APIs. Attackers could exploit this weakness to gather comprehensive information about a user's software environment, potentially enabling more sophisticated targeted attacks. The vulnerability affects multiple Apple platforms including iOS, iPadOS, macOS, tvOS, visionOS, and watchOS, indicating a systemic issue in the operating system's privacy protection architecture.
The technical implementation of this flaw involves improper authorization checks within the system's application management interfaces. When applications attempt to query installed software packages, the system fails to properly validate whether the requesting application has appropriate permissions to access such information. This creates an information disclosure vulnerability that falls under the CWE-200 category for exposure of sensitive information. The flaw essentially allows any application with sufficient privileges to traverse the application registry and extract detailed installation data without proper user consent or explicit permission from the device owner.
From an operational perspective, this vulnerability poses serious risks to user privacy and security. The enumeration of installed applications provides attackers with valuable intelligence about potential software targets, including productivity suites, banking applications, communication tools, and other sensitive software. This information could be used to craft more convincing phishing attacks, identify vulnerable applications, or map out a user's digital ecosystem for further exploitation. The attack surface expands significantly when combined with other reconnaissance techniques, as attackers can now build comprehensive profiles of individual users' software environments. This vulnerability aligns with ATT&CK technique T1612 for data staging and T1082 for system information discovery, representing a critical privacy breach that undermines user trust in the platform's security measures.
The fix implemented by Apple addresses this issue through enhanced access controls and stricter validation of application enumeration requests. The security updates across all affected platforms ensure that only authorized system processes and applications with proper entitlements can access installed application lists. This remediation involves implementing proper privilege checking mechanisms and restricting access to sensitive system APIs that expose application installation data. Organizations should immediately deploy these updates across all affected devices to prevent potential exploitation and maintain compliance with privacy regulations. The fix demonstrates Apple's commitment to addressing privacy concerns through proactive security measures while maintaining the platform's overall security posture.