What is the CVSS score of CVE-2025-46285?

CVE-2025-46285 has a CVSS 3.1 base score of 7.8 (High). CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of iOS are affected by CVE-2025-46285?

CVE-2025-46285 is a local privilege escalation vulnerability affecting Apple's iOS, iPadOS, macOS, tvOS, visionOS, and watchOS that allows authenticated users to gain root-level access and fully…

How to fix or mitigate CVE-2025-46285?

Within 24 hours: Inventory all Apple devices across iOS, iPadOS, macOS (Sequoia, Sonoma, Tahoe), tvOS, visionOS, and watchOS in your environment and identify devices running versions prior to February 2025 security updates. Within 7 days: Deploy February 2025 security updates to all affected Apple platforms via MDM/DEP or direct user notification; prioritize business-critical systems and high-sensitivity data access points. Within 30 days: Verify 100% deployment completion through device compliance reporting; audit privileged access logs on macOS systems for unauthorized escalation attempts; review and strengthen authentication controls for shared or BYOD devices.

iOS CVE-2025-46285

HIGH

Integer Overflow or Wraparound (CWE-190)

2025-12-12 product-security@apple.com

Privilege Escalation Integer Overflow Apple iOS macOS

7.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Apr 02, 2026 - 19:37 vuln.today

CVE Published

Dec 12, 2025 - 21:15 nvd

HIGH 7.8

DescriptionNVD

An integer overflow was addressed by adopting 64-bit timestamps. This issue is fixed in iOS 18.7.3 and iPadOS 18.7.3, iOS 26.2 and iPadOS 26.2, macOS Sequoia 15.7.3, macOS Sonoma 14.8.3, macOS Tahoe 26.2, tvOS 26.2, visionOS 26.2, watchOS 26.2. An app may be able to gain root privileges.

AnalysisAI

Local privilege escalation to root on Apple platforms via integer overflow in timestamp handling allows authenticated users with low-level access to fully compromise system integrity and confidentiality. Affects iOS, iPadOS, macOS (Sequoia, Sonoma, Tahoe), tvOS, visionOS, and watchOS prior to February 2025 security updates. Vendor-released patches available across all platforms. EPSS probability is minimal (0.02%, 4th percentile), and no public exploit identified at time of analysis, though the local attack vector with low complexity and authenticated requirement reduces remote exploitation risk but creates insider threat exposure.

Technical ContextAI

This vulnerability stems from an integer overflow (CWE-190) in Apple's operating system timestamp processing mechanisms. Integer overflows occur when arithmetic operations produce values exceeding the maximum representable value for a given data type, potentially causing memory corruption or logic errors. Apple's legacy use of 32-bit timestamps created overflow conditions that malicious applications could exploit to manipulate memory boundaries and escalate privileges. The fix migrates to 64-bit timestamp representations, extending the overflow horizon beyond practical exploitation timeframes. The vulnerability exists in low-level system time management code shared across Apple's unified operating system architecture (Darwin kernel components), affecting the entire product ecosystem from mobile devices to desktop and embedded platforms. CPE data identifies macOS as primary affected products, though vendor advisories confirm cross-platform impact including iOS 18.x/26.x, iPadOS, tvOS, visionOS, and watchOS variants.

RemediationAI

Install vendor-released security updates immediately through standard Apple software update mechanisms. For iOS and iPadOS devices, upgrade to version 18.7.3 or 26.2 depending on device compatibility. For macOS systems, apply Sequoia 15.7.3, Sonoma 14.8.3, or Tahoe 26.2 as appropriate for your macOS generation. Apple TV devices require tvOS 26.2, Vision Pro headsets require visionOS 26.2, and Apple Watch devices require watchOS 26.2. Detailed installation guidance and device-specific eligibility information available at Apple support advisories https://support.apple.com/en-us/125887 (macOS Sequoia), https://support.apple.com/en-us/125888 (macOS Sonoma), and related HT214785-HT214791 advisory pages for other platforms. No workarounds exist; patching is the only effective mitigation. For enterprise environments using Mobile Device Management, prioritize deployment to administrator workstations, developer systems, and any devices processing sensitive data or credentials. Verify successful patch application through system version reporting in Settings or About This Mac panels.

More from same product – last 7 days

CVE-2026-44739 HIGH This Week

8.7 May 27

SQL injection in Pimcore's CustomReportsBundle (versions ≤ 12.3.5) lets an authenticated user holding the reports_config

CVE-2026-5817 HIGH This Week

8.2 May 22

Arbitrary code execution in Docker Model Runner's vllm-metal inference backend on macOS allows any container on the Dock

CVE-2026-5843 HIGH This Week

8.2 May 22

Arbitrary code execution in Docker Desktop's Model Runner on macOS allows any container on the Docker network to escape

CVE-2025-43306 HIGH This Week

7.8 May 26

Local privilege escalation in Apple macOS allows a malicious app already running with low privileges to elevate to root

CVE-2026-49237 HIGH This Week

7.8 May 28

Local privilege escalation in Canonical Multipass for macOS before 1.16.3 allows a low-privileged local user to obtain r

CVE-2025-46285 vulnerability details – vuln.today

Back

iOS CVE-2025-46285

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code