PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-28882 Apple CVE debrief

CVE-2026-28882 is a privacy-related Apple issue where an app may be able to enumerate a user's installed apps. Apple says the fix was applied with improved checks, and the CVE is marked as fixed in iOS 18.7.9, iPadOS 18.7.9, iOS 26.4, iPadOS 26.4, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, and watchOS 26.4. NVD rates the issue as local, with no privileges or user interaction required, and low confidentiality impact.

Vendor
Apple
Product
CVE-2026-28882
CVSS
MEDIUM 4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-25
Original CVE updated
2026-05-11
Advisory published
2026-03-25
Advisory updated
2026-05-11

Who should care

Organizations and individuals running Apple devices on the affected OS branches should care, especially if installed-app visibility could expose sensitive business, security, or personal information. Mobile device administrators, fleet operators, and privacy-sensitive users should prioritize the listed updates.

Technical summary

The publicly available description is brief: an app may be able to enumerate installed apps on the device. Apple attributes the remediation to improved checks, but the supplied corpus does not provide a deeper root-cause explanation. NVD assigns CVSS 3.1 vector AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating a local issue with limited confidentiality impact and no integrity or availability impact. NVD does not assign a specific CWE, using NVD-CWE-noinfo.

Defensive priority

Medium. The issue is privacy-focused rather than a direct code-execution or data-loss vulnerability, but installed-app enumeration can still aid profiling, targeting, or security-relevant reconnaissance. Update affected Apple platforms promptly, especially on managed devices or where app inventory is sensitive.

Recommended defensive actions

  • Apply the Apple updates identified for the affected platforms: iOS 18.7.9, iPadOS 18.7.9, iOS 26.4, iPadOS 26.4, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, and watchOS 26.4.
  • Review fleet compliance to confirm devices are on fixed versions and remove or isolate any systems that remain on vulnerable builds.
  • Treat installed-app visibility as sensitive telemetry and minimize exposure of app inventory data in logs, reports, and diagnostics.
  • For managed Apple environments, verify that MDM and endpoint baselines reflect the patched versions and current security policy.
  • Monitor Apple security release notes and NVD updates for any additional clarification or scope changes related to this CVE.

Evidence notes

This debrief uses only the supplied CVE/NVD corpus and Apple support references. The CVE was published on 2026-03-25T01:17:12.057Z and later modified by NVD on 2026-05-11T21:18:52.537Z; those dates are used only as disclosure/timeline context. Apple’s supplied reference text states the issue was addressed with improved checks and lists the fixed OS versions. NVD’s CVSS vector and CPE criteria indicate affected Apple OS families up to, but not including, version 26.4 for the listed branches.

Official resources

Publicly disclosed through the CVE record and NVD on 2026-03-25, with NVD later updating the record on 2026-05-11. Apple’s supplied references describe the remediation as improved checks and identify fixed OS versions across iPhone, iPad, i