Description
The issue was addressed with improved memory handling. This issue is fixed in iOS 18.4 and iPadOS 18.4, iPadOS 17.7.6, macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5, tvOS 18.4, watchOS 11.4. Processing a maliciously crafted font may result in the disclosure of process memory.
Published: 2025-03-31
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Apply Patch
AI Analysis

Impact

A maliciously crafted font processed by the operating system can expose portions of process memory, thereby violating the confidentiality of data that may be held in memory such as credentials or personal information. The vulnerability is categorized as an information disclosure flaw (CWE-200).

Affected Systems

Apple iOS 18.4, iPadOS 18.4 and iPadOS 17.7.6, macOS Sequoia 15.4, Sonoma 14.7.5, Ventura 13.7.5, tvOS 18.4, and watchOS 11.4 are the only versions known to contain the fix; devices running earlier releases remain vulnerable.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity while the EPSS score of less than 1 % and the lack of inclusion in the CISA KEV catalog suggest a low probability of exploitation. Based on the description, it is inferred that an attacker who delivers a forged font or otherwise causes the system to process an untrusted font file could trigger a memory disclosure. The most likely attack vector, therefore, involves any application or system component that accepts custom font files from network or local sources, making such software a potential entry point.

Generated by OpenCVE AI on April 28, 2026 at 11:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade each device to the latest OS version that includes the memory‑handling fix: iOS 18.4, iPadOS 18.4 or 17.7.6, macOS Sequoia 15.4 or Sonoma 14.7.5 or Ventura 13.7.5, tvOS 18.4, and watchOS 11.4.
  • Enable automatic system updates so that future security releases are applied without manual intervention.
  • Configure or restrict applications so that they avoid loading font files from untrusted or external sources; when possible, disable dynamic font loading features.

Generated by OpenCVE AI on April 28, 2026 at 11:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8965 The issue was addressed with improved memory handling. This issue is fixed in macOS Ventura 13.7.5, tvOS 18.4, iPadOS 17.7.6, iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4, macOS Sonoma 14.7.5. Processing a maliciously crafted font may result in the disclosure of process memory.
History

Tue, 28 Apr 2026 12:00:00 +0000

Type Values Removed Values Added
Title Information Disclosure through Improper Font Parsing on Apple Operating Systems

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description The issue was addressed with improved memory handling. This issue is fixed in macOS Ventura 13.7.5, tvOS 18.4, iPadOS 17.7.6, iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4, macOS Sonoma 14.7.5. Processing a maliciously crafted font may result in the disclosure of process memory. The issue was addressed with improved memory handling. This issue is fixed in iOS 18.4 and iPadOS 18.4, iPadOS 17.7.6, macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5, tvOS 18.4, watchOS 11.4. Processing a maliciously crafted font may result in the disclosure of process memory.
References

Mon, 03 Nov 2025 22:30:00 +0000

Type Values Removed Values Added
References

Mon, 03 Nov 2025 20:30:00 +0000

Type Values Removed Values Added
References

Mon, 07 Apr 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple ipados
Apple iphone Os
Apple macos
Apple tvos
CPEs cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*
Vendors & Products Apple
Apple ipados
Apple iphone Os
Apple macos
Apple tvos

Wed, 02 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 31 Mar 2025 22:45:00 +0000

Type Values Removed Values Added
Description The issue was addressed with improved memory handling. This issue is fixed in macOS Ventura 13.7.5, tvOS 18.4, iPadOS 17.7.6, iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4, macOS Sonoma 14.7.5. Processing a maliciously crafted font may result in the disclosure of process memory.
References

Subscriptions

Apple Ipados Iphone Os Macos Tvos
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:22:24.966Z

Reserved: 2025-01-17T00:00:45.008Z

Link: CVE-2025-24244

cve-icon Vulnrichment

Updated: 2025-11-03T21:10:41.110Z

cve-icon NVD

Status : Modified

Published: 2025-03-31T23:15:21.620

Modified: 2026-04-02T19:19:25.937

Link: CVE-2025-24244

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T11:45:30Z

Weaknesses