Skip to main content

Apple CVE-2025-43210

| EUVDEUVD-2025-209193 MEDIUM
Out-of-bounds Write (CWE-787)
2026-04-02 apple GHSA-836c-rhv9-3x5j
6.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
15.6,17.7.9,2.6
EUVD ID Assigned
Apr 02, 2026 - 19:01 euvd
EUVD-2025-209193
Analysis Generated
Apr 02, 2026 - 19:01 vuln.today
CVE Published
Apr 02, 2026 - 18:21 nvd
MEDIUM 6.3

DescriptionCVE.org

An out-of-bounds access issue was addressed with improved bounds checking. This issue is fixed in iOS 18.6 and iPadOS 18.6, iPadOS 17.7.9, macOS Sequoia 15.6, macOS Sonoma 14.7.7, macOS Ventura 13.7.7, tvOS 18.6, visionOS 2.6, watchOS 11.6. Processing a maliciously crafted media file may lead to unexpected app termination or corrupt process memory.

AnalysisAI

Out-of-bounds memory access in Apple media processing affects iOS, iPadOS, macOS, tvOS, visionOS, and watchOS, allowing remote attackers to trigger unexpected application termination or memory corruption through maliciously crafted media files. The vulnerability requires user interaction (opening/playing the malicious file) but no authentication. Apple has released patched versions for all affected platforms with CVSS 6.3 (moderate severity) and no public exploitation identified at time of analysis.

Technical ContextAI

This is a classic out-of-bounds write vulnerability (CWE-787: Out-of-bounds Write) in Apple's media processing subsystem, likely affecting frameworks used across iOS, macOS, tvOS, visionOS, and watchOS for handling various media file formats. The root cause is insufficient bounds checking when parsing or decoding media file headers or content, permitting an attacker to write data beyond allocated buffer boundaries. The vulnerability impacts the media handling stack common to all Apple OSes, explaining the broad CPE coverage across cpe:2.3:a:apple:ios_and_ipados, cpe:2.3:a:apple:macos, and related OS CPEs. The flaw can corrupt process memory (information disclosure) or crash the affected application (denial of service).

RemediationAI

Vendor-released patches are available for all affected platforms: update to iOS 18.6, iPadOS 18.6 (or 17.7.9 for older iPad models), macOS Sequoia 15.6, macOS Sonoma 14.7.7, macOS Ventura 13.7.7, tvOS 18.6, visionOS 2.6, or watchOS 11.6. No formal workarounds exist; patching is the primary remediation. Users should avoid opening untrusted media files from unknown sources pending update deployment. Device administrators should prioritize patching iOS/iPadOS devices first due to higher user population, followed by macOS. Refer to device-specific security updates at https://support.apple.com/en-us/124147 through https://support.apple.com/en-us/124155 for download links and detailed patching instructions.

Share

CVE-2025-43210 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy