iOS
CVE-2025-43277
HIGH
Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
The issue was addressed with improved memory handling. This issue is fixed in iOS 18.6 and iPadOS 18.6, macOS Sequoia 15.6, macOS Sonoma 14.8, tvOS 18.6, visionOS 2.6, watchOS 11.6. Processing a maliciously crafted audio file may lead to memory corruption.
AnalysisAI
Memory corruption in Apple's audio processing framework across iOS, macOS, tvOS, visionOS, and watchOS allows local attackers to achieve arbitrary code execution by tricking users into opening malicious audio files. Fixed in iOS/iPadOS 18.6, macOS Sequoia 15.6, macOS Sonoma 14.8, tvOS 18.6, visionOS 2.6, and watchOS 11.6. Despite a high CVSS score of 7.8, the 2% EPSS probability indicates low observed exploitation likelihood, with no public exploit identified at time of analysis and no CISA KEV listing.
Technical ContextAI
This vulnerability represents a buffer overflow (CWE-119) in Apple's audio file parsing subsystem, which is shared across the entire Apple ecosystem including macOS, iOS, iPadOS, tvOS, visionOS, and watchOS. Audio file parsers are notoriously complex due to the variety of codec formats, container structures, and metadata fields they must handle. The memory handling flaw likely occurs during the parsing or decoding phase when processing specially crafted audio file headers, metadata chunks, or compressed audio streams. Buffer overflows in media parsers can allow attackers to overwrite adjacent memory regions with controlled data, potentially hijacking program execution flow. The cross-platform nature indicated by the CPE data (cpe:2.3:o:apple:macos) and Apple's simultaneous patching across all operating systems suggests the vulnerable code exists in a shared framework, potentially AudioToolbox or Core Audio components that handle format detection and decoding operations common to all Apple platforms.
RemediationAI
Apply vendor-released patches immediately by updating to iOS 18.6 and iPadOS 18.6, macOS Sequoia 15.6, macOS Sonoma 14.8, tvOS 18.6, visionOS 2.6, or watchOS 11.6 as appropriate for your platform. Apple addressed the vulnerability through improved memory handling in the audio processing framework. Installation instructions and update packages are available through standard Apple Software Update mechanisms or from the security advisories at support.apple.com/en-us/125112 and related platform-specific bulletins (124147, 124149, 124153, 124154, 124155). As an interim mitigation until patching is complete, users should avoid opening audio files from untrusted sources or unknown senders, though this workaround is not a substitute for applying the security update. Organizations should prioritize patching user-facing devices where employees regularly handle external media files, particularly in creative, media production, or customer support roles.
A use-after-free issue was addressed with improved memory management. Rated high severity (CVSS 8.8), this vulnerability
Apple's kernel across all platforms (iOS, macOS, watchOS, visionOS, tvOS) contains a memory corruption vulnerability (CV
A use-after-free issue was addressed with improved memory management. Rated high severity (CVSS 7.8), this vulnerability
The DLSw implementation in Cisco IOS does not initialize packet buffers, which allows remote attackers to obtain sensiti
The issue was addressed with improved checks. Rated high severity (CVSS 7.0). Actively exploited in the wild (cisa kev)
AirKeyboard iOS App 1.0.5 contains a missing authentication vulnerability that allows unauthenticated attackers to type
Mobile Security Framework (MobSF) is a security research platform for mobile applications in Android, iOS and Windows Mo
A vulnerability in the Cisco IOx application hosting environment of multiple Cisco platforms could allow an authenticate
Arbitrary code execution in Jellyfin iOS GitHub Actions workflow. CVSS 10.0.
Memory corruption vulnerabilities in Apple's graphics texture processing engine across iOS, iPadOS, macOS, tvOS, visionO
Buffer overflow memory corruption in Apple file parsing components allows remote code execution across iOS 18.6, iPadOS
A use-after-free issue was addressed with improved memory management. Rated critical severity (CVSS 9.8), this vulnerabi
Same weakness CWE-119 – Buffer Overflow
View allSame technique Memory Corruption
View allShare
External POC / Exploit Code
Leaving vuln.today