Preface: In iOS development, CVE-2026-20674 relates to a security vulnerability where sensitive information could potentially be accessed through Accessibility services while the device is locked.
Background: UIApplication.shared.isProtectedDataAvailable
impacts the iOS lockscreen because it directly reflects whether user-encrypted data (Keychain, files) is accessible based on the device’s lock status. When locked, this returns false, causing apps launched in the background (e.g., via notifications or prewarming) to fail to read sensitive data, potentially leading to incorrect states or user logouts.
Key reasons for the impact:
- Encrypted Data Lock: Files protected with
NSDataWritingFileProtectionCompleteorNSDataWritingFileProtectionCompleteUnlessOpenare inaccessible until the user unlocks the device. - Background Launch Failures: If an app is launched in the background (e.g., notification, Live Activity) while the screen is locked, attempts to read credentials from the Keychain or files will return nil, potentially causing the user to be signed out.
- State Corruption: Initializing data or reading from
UserDefaultswhile the device is locked might read empty/default values, allowing the app to incorrectly overwrite existing secure data.
Vulnerability details: A privacy issue was addressed by removing sensitive data. This issue is fixed in iOS 26.3 and iPadOS 26.3. An attacker with physical access to a locked device may be able to view sensitive user information.
Official announcement: Please refer to the link for details.