Description
A logic issue was addressed with improved checks. This issue is fixed in iOS 18.5 and iPadOS 18.5, iPadOS 17.7.7, macOS Sequoia 15.5, tvOS 18.5, visionOS 2.5, watchOS 11.5. Processing a maliciously crafted image may lead to a denial-of-service.
Published: 2025-05-12
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

A logic flaw in Apple’s image processing handling can be triggered by a maliciously crafted image, causing the receiving process to crash and resulting in a denial of service. The vulnerability exploits inadequate validation checks that were improved in newer releases. By supplying the crafted image, an attacker can cause interruption of normal operation, potentially impacting availability for local or remote applications that rely on image rendering.

Affected Systems

Apple iOS 18.5 and later, iPadOS 18.5 and 17.7.7, macOS Sequoia 15.5, tvOS 18.5, visionOS 2.5, watchOS 11.5 and later are secured against this issue. Earlier versions in each platform family are susceptible.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity, while an EPSS score of less than 1% shows the vulnerability is unlikely to be actively exploited. It is not listed in CISA KEV, suggesting no known widespread exploitation. The likely attack vector is the delivery of a malicious image through any interface that accepts image input, such as a web browser, email client, or media application. An attacker would need to supply the crafted image to the target device; once processed, the exposed logic error can cause a crash and a temporary denial of service.

Generated by OpenCVE AI on April 28, 2026 at 01:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the affected Apple operating systems to the specified patched releases: iOS 18.5, iPadOS 18.5/17.7.7, macOS Sequoia 15.5, tvOS 18.5, visionOS 2.5, watchOS 11.5 or newer.
  • If an upgrade cannot be performed immediately, restrict or sandbox the services and applications that accept image input to limit their exposure to potentially malicious data and enforce strict size and format validation.
  • Continuously monitor device logs for repeated image decoding failures or crashes, and apply host‑based intrusion detection rules that flag anomalous spending of system resources or repeated DoS patterns.

Generated by OpenCVE AI on April 28, 2026 at 01:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-14778 A logic issue was addressed with improved checks. This issue is fixed in watchOS 11.5, tvOS 18.5, iPadOS 17.7.7, iOS 18.5 and iPadOS 18.5, macOS Sequoia 15.5, visionOS 2.5. Processing a maliciously crafted image may lead to a denial-of-service.
History

Tue, 28 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Title Denial of Service Triggered by Malicious Image Processing on Apple Platforms

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description A logic issue was addressed with improved checks. This issue is fixed in watchOS 11.5, tvOS 18.5, iPadOS 17.7.7, iOS 18.5 and iPadOS 18.5, macOS Sequoia 15.5, visionOS 2.5. Processing a maliciously crafted image may lead to a denial-of-service. A logic issue was addressed with improved checks. This issue is fixed in iOS 18.5 and iPadOS 18.5, iPadOS 17.7.7, macOS Sequoia 15.5, tvOS 18.5, visionOS 2.5, watchOS 11.5. Processing a maliciously crafted image may lead to a denial-of-service.

Mon, 03 Nov 2025 20:30:00 +0000

Type Values Removed Values Added
References

Tue, 27 May 2025 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple ipados
Apple iphone Os
Apple macos
Apple tvos
Apple visionos
Apple watchos
CPEs cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:visionos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:*
Vendors & Products Apple
Apple ipados
Apple iphone Os
Apple macos
Apple tvos
Apple visionos
Apple watchos

Wed, 14 May 2025 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 12 May 2025 21:45:00 +0000

Type Values Removed Values Added
Description A logic issue was addressed with improved checks. This issue is fixed in watchOS 11.5, tvOS 18.5, iPadOS 17.7.7, iOS 18.5 and iPadOS 18.5, macOS Sequoia 15.5, visionOS 2.5. Processing a maliciously crafted image may lead to a denial-of-service.
References

Subscriptions

Apple Ipados Iphone Os Macos Tvos Visionos Watchos
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:21:04.197Z

Reserved: 2025-03-27T16:13:58.321Z

Link: CVE-2025-31226

cve-icon Vulnrichment

Updated: 2025-11-03T19:50:35.666Z

cve-icon NVD

Status : Modified

Published: 2025-05-12T22:15:23.313

Modified: 2026-04-02T19:19:51.033

Link: CVE-2025-31226

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T02:00:15Z

Weaknesses