Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
An out-of-bounds access issue was addressed with improved bounds checking. This issue is fixed in iOS 18.6 and iPadOS 18.6, iPadOS 17.7.9, macOS Sequoia 15.6, macOS Sonoma 14.7.7, macOS Ventura 13.7.7, tvOS 18.6, visionOS 2.6, watchOS 11.6. Processing a maliciously crafted media file may lead to unexpected app termination or corrupt process memory.
AnalysisAI
Out-of-bounds memory access in Apple media processing affects iOS, iPadOS, macOS, tvOS, visionOS, and watchOS, allowing remote attackers to trigger unexpected application termination or memory corruption through maliciously crafted media files. The vulnerability requires user interaction (opening/playing the malicious file) but no authentication. Apple has released patched versions for all affected platforms with CVSS 6.3 (moderate severity) and no public exploitation identified at time of analysis.
Technical ContextAI
This is a classic out-of-bounds write vulnerability (CWE-787: Out-of-bounds Write) in Apple's media processing subsystem, likely affecting frameworks used across iOS, macOS, tvOS, visionOS, and watchOS for handling various media file formats. The root cause is insufficient bounds checking when parsing or decoding media file headers or content, permitting an attacker to write data beyond allocated buffer boundaries. The vulnerability impacts the media handling stack common to all Apple OSes, explaining the broad CPE coverage across cpe:2.3:a:apple:ios_and_ipados, cpe:2.3:a:apple:macos, and related OS CPEs. The flaw can corrupt process memory (information disclosure) or crash the affected application (denial of service).
RemediationAI
Vendor-released patches are available for all affected platforms: update to iOS 18.6, iPadOS 18.6 (or 17.7.9 for older iPad models), macOS Sequoia 15.6, macOS Sonoma 14.7.7, macOS Ventura 13.7.7, tvOS 18.6, visionOS 2.6, or watchOS 11.6. No formal workarounds exist; patching is the primary remediation. Users should avoid opening untrusted media files from unknown sources pending update deployment. Device administrators should prioritize patching iOS/iPadOS devices first due to higher user population, followed by macOS. Refer to device-specific security updates at https://support.apple.com/en-us/124147 through https://support.apple.com/en-us/124155 for download links and detailed patching instructions.
Same weakness CWE-787 – Out-of-bounds Write
View allSame technique Memory Corruption
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209193
GHSA-836c-rhv9-3x5j