Description
An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in iOS 18.3 and iPadOS 18.3, iPadOS 17.7.4, macOS Sequoia 15.3, macOS Sonoma 14.7.3, macOS Ventura 13.7.3, tvOS 18.3, visionOS 2.3, watchOS 11.3. Parsing a file may lead to disclosure of user information.
Published: 2025-01-27
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Apply Patch
AI Analysis

Impact

A flaw in the file‑parsing code performs an out‑of‑bounds memory read, allowing a malformed or malicious file to expose contents of memory that were not intended to be disclosed. The vulnerability is classified as CWE‑125 and can result in the leakage of sensitive user data, such as personal information or credentials, to the application or process that processed the file. The impact is higher for applications handling user‑provided data and occurs as soon as the vulnerable routine parses the file.

Affected Systems

Affected platforms are all Apple operating systems that preceded the security updates mentioned in the advisory. iOS, iPadOS, macOS, tvOS, visionOS, and watchOS versions before iOS 18.3, iPadOS 18.3 or 17.7.4, macOS Sequoia 15.3, macOS Sonoma 14.7.3, macOS Ventura 13.7.3, tvOS 18.3, visionOS 2.3, and watchOS 11.3 are vulnerable. Devices running these older releases and any apps that invoke the vulnerable parsing routine are at risk.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity, and the low EPSS score of <1% suggests that exploitation is unlikely but still possible. The flaw is not listed in CISA's KEV catalog. Based on the description, it is inferred that attackers would need to deliver a specifically crafted file to a susceptible application; the attack vector is local or user‑initiated rather than remote. Once the file is processed, memory reads beyond the intended bounds may reveal private data to the interested party.

Generated by OpenCVE AI on April 29, 2026 at 01:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest iOS, iPadOS, macOS, tvOS, visionOS, and watchOS updates that contain the out‑of‑bounds read fix (e.g., iOS 18.3+, iPadOS 18.3 or 17.7.4, macOS Sequoia 15.3 or Sonoma 14.7.3 or Ventura 13.7.3, tvOS 18.3, visionOS 2.3, watchOS 11.3).
  • Deploy firmware or application updates from third‑party vendors that include the corrected file‑parsing logic.
  • If no patch is available in a timely manner, confine the execution of untrusted file parsers by enforcing strict sandboxing policies or disabling the vulnerable parser in critical applications until the fix is applied.

Generated by OpenCVE AI on April 29, 2026 at 01:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3653 An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in iPadOS 17.7.4, macOS Ventura 13.7.3, macOS Sonoma 14.7.3, visionOS 2.3, iOS 18.3 and iPadOS 18.3, macOS Sequoia 15.3, watchOS 11.3, tvOS 18.3. Parsing a file may lead to disclosure of user information.
History

Wed, 29 Apr 2026 01:30:00 +0000

Type Values Removed Values Added
Title Out‑of‑Bounds Read in File Parsing Leads to Information Disclosure on Apple OS

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in iPadOS 17.7.4, macOS Ventura 13.7.3, macOS Sonoma 14.7.3, visionOS 2.3, iOS 18.3 and iPadOS 18.3, macOS Sequoia 15.3, watchOS 11.3, tvOS 18.3. Parsing a file may lead to disclosure of user information. An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in iOS 18.3 and iPadOS 18.3, iPadOS 17.7.4, macOS Sequoia 15.3, macOS Sonoma 14.7.3, macOS Ventura 13.7.3, tvOS 18.3, visionOS 2.3, watchOS 11.3. Parsing a file may lead to disclosure of user information.

Mon, 03 Nov 2025 21:30:00 +0000

Type Values Removed Values Added
References

Mon, 03 Mar 2025 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple ipados
Apple iphone Os
Apple macos
Apple tvos
Apple visionos
Apple watchos
Weaknesses CWE-125
CPEs cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:visionos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:*
Vendors & Products Apple
Apple ipados
Apple iphone Os
Apple macos
Apple tvos
Apple visionos
Apple watchos
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

Wed, 19 Feb 2025 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-922
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

Tue, 28 Jan 2025 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-922
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 27 Jan 2025 22:00:00 +0000

Type Values Removed Values Added
Description An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in iPadOS 17.7.4, macOS Ventura 13.7.3, macOS Sonoma 14.7.3, visionOS 2.3, iOS 18.3 and iPadOS 18.3, macOS Sequoia 15.3, watchOS 11.3, tvOS 18.3. Parsing a file may lead to disclosure of user information.
References

Subscriptions

Apple Ipados Iphone Os Macos Tvos Visionos Watchos
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:12:09.381Z

Reserved: 2025-01-17T00:00:44.976Z

Link: CVE-2025-24149

cve-icon Vulnrichment

Updated: 2025-11-03T21:04:11.326Z

cve-icon NVD

Status : Modified

Published: 2025-01-27T22:15:19.173

Modified: 2026-04-02T19:19:07.717

Link: CVE-2025-24149

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T01:15:44Z

Weaknesses