{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-46286", "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "state": "PUBLISHED", "assignerShortName": "apple", "dateReserved": "2025-04-22T21:13:49.959Z", "datePublished": "2026-01-09T21:14:39.092Z", "dateUpdated": "2026-04-02T18:18:29.314Z"}, "containers": {"cna": {"problemTypes": [{"descriptions": [{"lang": "en", "description": "Restoring from a backup may prevent passcode from being required immediately after Face ID enrollment"}]}], "affected": [{"vendor": "Apple", "product": "iOS and iPadOS", "versions": [{"version": "0", "status": "affected", "lessThan": "26.2", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "A logic issue was addressed with improved validation. This issue is fixed in iOS 26.2 and iPadOS 26.2. Restoring from a backup may prevent passcode from being required immediately after Face ID enrollment."}], "references": [{"url": "https://support.apple.com/en-us/125884"}], "providerMetadata": {"orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "shortName": "apple", "dateUpdated": "2026-04-02T18:18:29.314Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-288", "lang": "en", "description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-01-09T21:34:06.534661Z", "id": "CVE-2025-46286", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-09T21:34:49.689Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-46286", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-09T21:34:06.534661Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-288", "description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-09T21:34:44.722Z"}}], "cna": {"affected": [{"vendor": "Apple", "product": "iOS and iPadOS", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "26.2", "versionType": "custom"}]}], "references": [{"url": "https://support.apple.com/en-us/125884"}], "descriptions": [{"lang": "en", "value": "A logic issue was addressed with improved validation. This issue is fixed in iOS 26.2 and iPadOS 26.2. Restoring from a backup may prevent passcode from being required immediately after Face ID enrollment."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Restoring from a backup may prevent passcode from being required immediately after Face ID enrollment"}]}], "providerMetadata": {"orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "shortName": "apple", "dateUpdated": "2026-01-09T21:14:39.092Z"}}}, "cveMetadata": {"cveId": "CVE-2025-46286", "state": "PUBLISHED", "dateUpdated": "2026-01-09T21:34:49.689Z", "dateReserved": "2025-04-22T21:13:49.959Z", "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "datePublished": "2026-01-09T21:14:39.092Z", "assignerShortName": "apple"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*", "matchCriteriaId": "EA029506-5678-444B-93B5-27DAD643A1C0", "versionEndExcluding": "26.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*", "matchCriteriaId": "6276FDCA-3407-4FDD-8437-B57C98A97084", "versionEndExcluding": "26.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A logic issue was addressed with improved validation. This issue is fixed in iOS 26.2 and iPadOS 26.2. Restoring from a backup may prevent passcode from being required immediately after Face ID enrollment."}], "id": "CVE-2025-46286", "lastModified": "2026-01-14T17:46:11.003", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-01-09T22:15:59.407", "references": [{"source": "product-security@apple.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://support.apple.com/en-us/125884"}], "sourceIdentifier": "product-security@apple.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-288"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T20:13:21.032668+00:00", "value": {"mitigation_remediation": ["Upgrade the device to iOS\u202f26.2 or iPadOS\u202f26.2 to receive the validation fix.", "If an update is not immediately possible, avoid restoring backups until a passcode is configured on the device.", "After performing a backup restore, verify that the passcode prompt appears before using Face\u202fID or other authentication methods."], "summary": {"action": "Patch", "impact": "Potential bypass of passcode enforcement"}, "threat_synthesis": {"affected_systems": "Apple\u2019s iOS and iPadOS operating systems are impacted. Prior to version\u202f26.2 of each OS the flaw exists, and the issue is fixed in iOS\u202f26.2 and iPadOS\u202f26.2. Devices running earlier releases without the update could be vulnerable.", "description_and_impact": "A logic flaw in the system validation allows the device to skip the passcode prompt when a backup is restored immediately after a Face\u202fID enrollment. This flaw can lead to unauthorized use of the device if an attacker has physical access. The weakness maps to improper authentication, as it permits access without the expected passcode credential.", "risk_and_exploitability": "The CVSS score of 4.3 indicates moderate severity, and the EPSS score of less than\u202f1\u202f% suggests a very low probability of exploitation. The vulnerability is not in the CISA KEV catalog. The attack requires physical access to perform a backup restore after a Face\u202fID enrollment, and no remote exploitation surface is described. The likely vector is a local victim device or account that an attacker can manipulate, with remediation available through an OS update."}}}}, "created": "2026-01-12T14:36:59.581540+00:00", "updated": "2026-04-22T20:15:20.537146+00:00", "vendors": ["apple", "apple$PRODUCT$ios", "apple$PRODUCT$ipad_os"]}