Apple
CVE-2025-43533
MEDIUM
Severity by source
AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionCVE.org
Multiple memory corruption issues were addressed with improved input validation. This issue is fixed in watchOS 26.2, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, visionOS 26.2, tvOS 26.2. A malicious HID device may cause an unexpected process crash.
AnalysisAI
Memory corruption vulnerability in Apple's HID (Human Interface Device) input handling subsystem affecting iOS, iPadOS, macOS, watchOS, tvOS, and visionOS. A malicious HID device can trigger unexpected process crashes through improved input validation failures, resulting in denial of service. The vulnerability has a CVSS score of 5.7 (medium severity) with adjacent network attack vector and requires user interaction; no evidence of active exploitation or public POC is indicated in available intelligence.
Technical ContextAI
This vulnerability resides in Apple's HID device driver stack, which processes input from peripheral devices (keyboards, mice, game controllers, etc.). The root cause is classified as CWE-20 (Improper Input Validation), indicating insufficient sanitization of HID protocol data structures before processing. The vulnerability spans multiple OS kernels across Apple's entire ecosystem (iOS/iPadOS, macOS, watchOS, tvOS, visionOS), suggesting a shared HID subsystem component. The attack surface includes any system accepting HID input from untrusted or physically compromised devices. The 'memory corruption' classification (plural 'issues') suggests multiple related input validation bypass conditions, possibly affecting buffer boundaries or state machine transitions in HID packet parsing.
RemediationAI
PATCH: Update all affected Apple devices to v26.2 or later immediately. Specific patch versions by platform: iOS 26.2+, iPadOS 26.2+, macOS Tahoe 26.2+, watchOS 26.2+, tvOS 26.2+, visionOS 26.2+. WORKAROUNDS (temporary, prior to patching): (1) Restrict physical USB access to trusted devices only; (2) Disable Bluetooth HID device pairing with untrusted peripherals; (3) Use MDM (Mobile Device Management) policies to limit HID device allowlisting on enterprise devices; (4) Monitor system logs for unexpected process crashes correlating with HID device connection events. MITIGATION: Organizations should enforce latest OS versions through device management policies and educate users against connecting untrusted peripherals. Detailed patch instructions available in Apple support advisories linked above.
Same weakness CWE-20 – Improper Input Validation
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today