Impact
The vulnerability stems from insufficient memory handling within Apple's video decoding subsystem, enabling a maliciously crafted video file to cause uncontrolled memory corruption or overrun. This can lead to the abrupt termination of an application or the corruption of its own memory space. The weakness is categorized as CWE‑400, signifying a failure in resource and memory control.
Affected Systems
Apple’s operating systems—iOS, iPadOS, macOS, tvOS, and visionOS—are impacted. The fix is included in iOS 18.4, iPadOS 18.4, iPadOS 17.7.6, macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5, tvOS 18.4, and visionOS 2.4. Based on the fixed versions, earlier releases of these platforms are assumed to be vulnerable.
Risk and Exploitability
The CVSS score of 9.8 indicates a critical severity, while the EPSS score of 2 % suggests a low but non‑negligible likelihood of exploitation in the wild. The flaw is not listed in the CISA KEV catalog. Based on the description, the attack vector is likely the delivery of a maliciously crafted video file to the device—through local storage, email attachment, cloud sync, or online download—potentially resulting in memory corruption or application termination, a local denial of service for the affected device.
OpenCVE Enrichment
EUVD