CVE-2025-43533

MEDIUM
2025-12-17 [email protected]
5.7
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Analysis Generated
Mar 13, 2026 - 20:30 vuln.today
CVE Published
Dec 17, 2025 - 21:16 nvd
MEDIUM 5.7

Tags

Apple Buffer Overflow

Description

Multiple memory corruption issues were addressed with improved input validation. This issue is fixed in watchOS 26.2, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, visionOS 26.2, tvOS 26.2. A malicious HID device may cause an unexpected process crash.

Analysis

Memory corruption vulnerability in Apple's HID (Human Interface Device) input handling subsystem affecting iOS, iPadOS, macOS, watchOS, tvOS, and visionOS. A malicious HID device can trigger unexpected process crashes through improved input validation failures, resulting in denial of service. The vulnerability has a CVSS score of 5.7 (medium severity) with adjacent network attack vector and requires user interaction; no evidence of active exploitation or public POC is indicated in available intelligence.

Technical Context

This vulnerability resides in Apple's HID device driver stack, which processes input from peripheral devices (keyboards, mice, game controllers, etc.). The root cause is classified as CWE-20 (Improper Input Validation), indicating insufficient sanitization of HID protocol data structures before processing. The vulnerability spans multiple OS kernels across Apple's entire ecosystem (iOS/iPadOS, macOS, watchOS, tvOS, visionOS), suggesting a shared HID subsystem component. The attack surface includes any system accepting HID input from untrusted or physically compromised devices. The 'memory corruption' classification (plural 'issues') suggests multiple related input validation bypass conditions, possibly affecting buffer boundaries or state machine transitions in HID packet parsing.

Affected Products

All Apple platforms at versions prior to v26.2: (1) iOS < 26.2 (cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*), (2) iPadOS < 26.2 (cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*), (3) macOS Tahoe < 26.2 (cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*), (4) watchOS < 26.2 (cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:*), (5) tvOS < 26.2 (cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*), (6) visionOS < 26.2 (cpe:2.3:o:apple:visionos:*:*:*:*:*:*:*:*). Vendor advisories: https://support.apple.com/en-us/125884 (primary), https://support.apple.com/en-us/125886, https://support.apple.com/en-us/125889, https://support.apple.com/en-us/125890, https://support.apple.com/en-us/125891 (platform-specific details).

Remediation

PATCH: Update all affected Apple devices to v26.2 or later immediately. Specific patch versions by platform: iOS 26.2+, iPadOS 26.2+, macOS Tahoe 26.2+, watchOS 26.2+, tvOS 26.2+, visionOS 26.2+. WORKAROUNDS (temporary, prior to patching): (1) Restrict physical USB access to trusted devices only; (2) Disable Bluetooth HID device pairing with untrusted peripherals; (3) Use MDM (Mobile Device Management) policies to limit HID device allowlisting on enterprise devices; (4) Monitor system logs for unexpected process crashes correlating with HID device connection events. MITIGATION: Organizations should enforce latest OS versions through device management policies and educate users against connecting untrusted peripherals. Detailed patch instructions available in Apple support advisories linked above.

Priority Score

29
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +28
POC: 0

Share

CVE-2025-43533 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy