← andrd3v

My First CVE — CVE-2026-28882

· by andrd3v
CVE-2026-28882 — a privacy issue in libxpc on iOS. An app could enumerate a user's installed apps and running processes. Fixed by Apple with improved checks across all platforms.

A couple of months ago I reported a privacy bug in libxpc on iOS to Apple. An app could use it to find out what other apps you have installed and what processes are running.

Apple patched it across all platforms, and my name ended up on the advisory. First CVE. I'm not going to pretend I played it cool when I saw it.

Apple security advisory crediting andrd3v for CVE-2026-28882

Apple security advisory

I can't share the technical details for now.

First one down. Won't be the last.

andrd3v