Description
An input validation issue was addressed with improved memory handling. This issue is fixed in iOS 18.6 and iPadOS 18.6, macOS Sequoia 15.6, tvOS 18.6, visionOS 2.6. Processing a maliciously crafted file may lead to unexpected app termination.
Published: 2025-07-29
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch Immediately
AI Analysis

Impact

An input validation flaw, mitigated by improved memory handling, allows processing of a maliciously crafted file to terminate applications unexpectedly. The primary consequence is a denial of service to the affected user, as applications crash without predictable recovery. The weakness is classified as CWE‑20, indicating a failure to validate input properly, which can lead to abnormal termination when corrupted data is parsed. "The likely attack vector is delivering a specifically crafted file or payload to a vulnerable device, after which the impacted application aborts due to a memory handling error.

Affected Systems

Apple systems including iOS and iPadOS, macOS Sequoia 15.6, tvOS 18.6, and visionOS 2.6 are impacted. The fix is provided in iOS 18.6 and iPadOS 18.6, macOS Sequoia 15.6, tvOS 18.6, visionOS 2.6, and any preceding versions of the relevant operating system families are therefore considered vulnerable.

Risk and Exploitability

The CVSS score of 9.1 places this vulnerability in the high‑severity tier, highlighting the potential for critical disruption. EPSS indicates a very low probability of exploitation, though the flaw remains unreported as KEV. The attack scenario requires an attacker to supply a malformed file that the targeted application processes; no network-based trigger is documented, so the vulnerability is likely file‑delivery or file‑exposure dependent. Given the severity, the risk is significant for environments where application stability is mission critical.

Generated by OpenCVE AI on April 28, 2026 at 01:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest security updates for iOS, iPadOS, macOS, tvOS, and visionOS that contain the input validation fix.
  • Enable automatic OS updates so the patch is installed promptly.
  • If the update is not yet available, restrict or quarantine file execution for applications that handle user‑supplied content and remove suspicious files.

Generated by OpenCVE AI on April 28, 2026 at 01:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-23128 An input validation issue was addressed with improved memory handling. This issue is fixed in visionOS 2.6, tvOS 18.6, macOS Sequoia 15.6, iOS 18.6 and iPadOS 18.6. Processing a maliciously crafted file may lead to unexpected app termination.
History

Tue, 28 Apr 2026 01:30:00 +0000

Type Values Removed Values Added
Title Malicious File Causing App Crash via Input Validation Vulnerability

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description An input validation issue was addressed with improved memory handling. This issue is fixed in visionOS 2.6, tvOS 18.6, macOS Sequoia 15.6, iOS 18.6 and iPadOS 18.6. Processing a maliciously crafted file may lead to unexpected app termination. An input validation issue was addressed with improved memory handling. This issue is fixed in iOS 18.6 and iPadOS 18.6, macOS Sequoia 15.6, tvOS 18.6, visionOS 2.6. Processing a maliciously crafted file may lead to unexpected app termination.

Sat, 28 Feb 2026 04:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 03 Nov 2025 20:30:00 +0000

Type Values Removed Values Added
References

Thu, 31 Jul 2025 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Apple iphone Os
CPEs cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:visionos:*:*:*:*:*:*:*:*
Vendors & Products Apple iphone Os

Thu, 31 Jul 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 31 Jul 2025 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H'}

Wed, 30 Jul 2025 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple ios
Apple ipados
Apple macos
Apple macos Sequoia
Apple tvos
Apple visionos
Vendors & Products Apple
Apple ios
Apple ipados
Apple macos
Apple macos Sequoia
Apple tvos
Apple visionos

Tue, 29 Jul 2025 23:45:00 +0000

Type Values Removed Values Added
Description An input validation issue was addressed with improved memory handling. This issue is fixed in visionOS 2.6, tvOS 18.6, macOS Sequoia 15.6, iOS 18.6 and iPadOS 18.6. Processing a maliciously crafted file may lead to unexpected app termination.
References

Subscriptions

Apple Ios Ipados Iphone Os Macos Macos Sequoia Tvos Visionos
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:09:13.418Z

Reserved: 2025-03-27T16:13:58.345Z

Link: CVE-2025-31281

cve-icon Vulnrichment

Updated: 2025-11-03T19:53:08.752Z

cve-icon NVD

Status : Modified

Published: 2025-07-30T00:15:31.273

Modified: 2026-04-02T19:20:00.443

Link: CVE-2025-31281

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T01:15:15Z

Weaknesses