CVE-2026-20638 is a logic vulnerability identified in Apple iOS and iPadOS related to the Live Caller ID app extensions feature. Live Caller ID extensions allow third-party apps to provide caller identification services during incoming calls. The vulnerability arises because the system did not properly enforce the user's preference when Live Caller ID extensions were turned off, allowing these extensions to still receive identifying information about the caller. This represents a failure in access control (CWE-284), where unauthorized data disclosure occurs despite user settings intended to prevent it. The issue affects unspecified versions of iOS and iPadOS prior to 26.3, where Apple implemented improved checks to ensure that when Live Caller ID extensions are disabled, they cannot access identifying data. The CVSS v3.1 base score is 5.5 (medium severity), reflecting that exploitation requires local access (AV:L), low attack complexity (AC:L), no privileges (PR:N), but user interaction (UI:R) is necessary, and the impact is limited to confidentiality (C:H) without affecting integrity or availability. No known exploits have been reported in the wild, indicating limited active exploitation so far. The vulnerability primarily risks leaking personal identifying information to unauthorized app extensions, potentially compromising user privacy. This flaw highlights the importance of rigorous enforcement of user privacy settings in mobile operating systems, especially for features involving sensitive personal data like caller identification.

The primary impact of CVE-2026-20638 is the unauthorized disclosure of identifying information to Live Caller ID app extensions even when users have disabled these extensions. This breach of confidentiality can lead to privacy violations, including unwanted profiling, targeted phishing, or social engineering attacks leveraging leaked caller data. Organizations relying on Apple devices for communication may face risks of sensitive information leakage, potentially undermining user trust and compliance with privacy regulations such as GDPR or CCPA. Although the vulnerability does not affect system integrity or availability, the exposure of personal data can have reputational and legal consequences. The requirement for user interaction and local access limits large-scale remote exploitation but does not eliminate risk in environments where attackers have physical or local access to devices. Overall, the threat is moderate but significant for privacy-conscious users and organizations handling sensitive communications on Apple mobile platforms.

To mitigate CVE-2026-20638, organizations and users should promptly update all affected Apple devices to iOS and iPadOS version 26.3 or later, where the vulnerability is fixed. Beyond patching, administrators should audit and restrict the installation of Live Caller ID app extensions, especially from untrusted sources, to minimize exposure. Users should review app permissions regularly and disable or uninstall unnecessary caller ID extensions. For enterprise-managed devices, applying Mobile Device Management (MDM) policies to control app extensions and enforce security configurations can reduce risk. Additionally, educating users about the importance of cautious interaction with incoming calls and app permissions can help prevent exploitation. Monitoring for unusual app behavior or data access patterns related to caller ID extensions may provide early detection of attempts to exploit this vulnerability. Since no known exploits exist in the wild, proactive patching and permission management remain the most effective defenses.