CVE-2025-46286
BaseFortify
Publication date: 2026-01-09
Last updated on: 2026-01-09
Assigner: Apple Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apple | ios | to 26.2 (inc) |
| apple | ipad_os | to 26.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-288 | The product requires authentication, but the product has an alternate path or channel that does not require authentication. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a logic issue related to the validation process in iOS and iPadOS. Specifically, when restoring from a backup, the device may not require the passcode immediately after Face ID enrollment, potentially allowing bypass of the expected security step. This issue has been fixed in iOS 26.2 and iPadOS 26.2 with improved validation.
How can this vulnerability impact me? :
The vulnerability could allow an attacker to bypass the immediate passcode requirement after Face ID enrollment when restoring from a backup, potentially reducing the security of the device and allowing unauthorized access.
What immediate steps should I take to mitigate this vulnerability?
Update your devices to iOS 26.2 or iPadOS 26.2, as these versions contain the fix for this vulnerability. Additionally, be aware that restoring from a backup may prevent the passcode from being required immediately after Face ID enrollment, so consider this when restoring devices.