CVE-2026-20638 is a logic vulnerability identified in Apple’s iOS and iPadOS operating systems, specifically related to the Live Caller ID app extensions feature. Live Caller ID extensions are designed to provide enhanced caller identification by allowing third-party apps to display caller information. However, due to a flaw in the logic controlling data sharing, a user who has explicitly turned off Live Caller ID app extensions could still have identifying information leaked to these extensions. This occurs because the system did not properly enforce the user’s preference to disable these extensions, leading to unintended data exposure. The vulnerability is classified under CWE-284 (Improper Access Control), indicating that the system failed to correctly restrict access to sensitive data. The CVSS v3.1 base score is 5.5 (medium severity), reflecting that the attack vector is local (AV:L), requires low attack complexity (AC:L), no privileges (PR:N), but does require user interaction (UI:R). The impact is high on confidentiality (C:H), with no impact on integrity or availability. Apple fixed this issue in iOS and iPadOS 26.3 by implementing improved checks to ensure that when Live Caller ID extensions are disabled, no identifying information is shared with them. There are no known exploits in the wild at this time, but the vulnerability poses a privacy risk by potentially exposing user identity data to unauthorized app extensions.

The primary impact of CVE-2026-20638 is the unauthorized disclosure of identifying information from users who have disabled Live Caller ID app extensions on their iOS or iPadOS devices. This leakage compromises user privacy and could be exploited by malicious or compromised third-party extensions to gather sensitive data without user consent. While the vulnerability does not affect the integrity or availability of the system, the confidentiality breach could lead to targeted phishing, social engineering, or surveillance attacks. Organizations relying on Apple mobile devices, especially those handling sensitive or regulated data, may face increased risks of data leakage and privacy violations. The requirement for local access and user interaction limits remote exploitation but does not eliminate risk in environments where users receive calls from unknown or malicious sources. The absence of known exploits reduces immediate threat but patching is critical to prevent future abuse.

To mitigate CVE-2026-20638, organizations and users should promptly update all affected Apple devices to iOS and iPadOS version 26.3 or later, where the issue is fixed. Beyond patching, administrators should review and restrict the installation of third-party Live Caller ID extensions, especially from untrusted sources, to minimize exposure. Implement mobile device management (MDM) policies that enforce extension controls and monitor app permissions related to caller ID features. Educate users about the risks of installing unknown caller ID apps and encourage cautious handling of incoming calls from unverified numbers. Regularly audit device configurations to ensure that privacy settings, including Live Caller ID extensions, are correctly applied and enforced. Finally, monitor for unusual app behavior or data access patterns that could indicate exploitation attempts.