Description
An out-of-bounds access issue was addressed with improved bounds checking. This issue is fixed in iOS 18.6 and iPadOS 18.6, macOS Sequoia 15.6, tvOS 18.6, visionOS 2.6. Processing a maliciously crafted media file may lead to unexpected app termination or corrupt process memory.
Published: 2025-07-29
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Memory corruption or application termination
Action: Immediate Patch
AI Analysis

Impact

An out-of-bounds access flaw was discovered in the media file parsing routine. The flaw is due to insufficient bounds checking, so a maliciously crafted media file can cause an unexpected app termination or corrupt the memory of the process handling the media. This could lead to application instability and, if the corrupted memory is exploited, potential compromise of the process.

Affected Systems

The vulnerability affects Apple operating systems: iOS, iPadOS, macOS, tvOS, and visionOS. The issue is fixed in iOS 18.6 and iPadOS 18.6, macOS Sequoia 15.6, tvOS 18.6, and visionOS 2.6. Any device running earlier versions of these operating systems is potentially affected.

Risk and Exploitability

The CVSS score of 7.1 indicates a high-level impact. The EPSS score of less than 1% points to a low likelihood of current exploitation. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is local; an attacker who can supply a malicious media file to the target will trigger the fault. Because the flaw resides in media processing, any application that accepts media from untrusted sources could be impacted.

Generated by OpenCVE AI on April 28, 2026 at 00:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade all affected Apple systems to the patched versions: iOS 18.6, iPadOS 18.6, macOS Sequoia 15.6, tvOS 18.6, or visionOS 2.6 or later.
  • Configure devices to apply automatic OS updates or manually install the latest security updates as soon as they become available.
  • If an update cannot be applied immediately, restrict the use of untrusted media files, use sandboxing or application whitelisting where possible, and monitor for abnormal application crashes or memory corruption events.

Generated by OpenCVE AI on April 28, 2026 at 00:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-23068 An out-of-bounds access issue was addressed with improved bounds checking. This issue is fixed in macOS Sequoia 15.6, iOS 18.6 and iPadOS 18.6, visionOS 2.6, tvOS 18.6. Processing a maliciously crafted media file may lead to unexpected app termination or corrupt process memory.
History

Tue, 28 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Title Out‑of‑Bounds Access in Media File Processing Causing App Termination or Memory Corruption

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description An out-of-bounds access issue was addressed with improved bounds checking. This issue is fixed in macOS Sequoia 15.6, iOS 18.6 and iPadOS 18.6, visionOS 2.6, tvOS 18.6. Processing a maliciously crafted media file may lead to unexpected app termination or corrupt process memory. An out-of-bounds access issue was addressed with improved bounds checking. This issue is fixed in iOS 18.6 and iPadOS 18.6, macOS Sequoia 15.6, tvOS 18.6, visionOS 2.6. Processing a maliciously crafted media file may lead to unexpected app termination or corrupt process memory.

Mon, 03 Nov 2025 20:30:00 +0000

Type Values Removed Values Added
References

Thu, 31 Jul 2025 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Apple iphone Os
CPEs cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:visionos:*:*:*:*:*:*:*:*
Vendors & Products Apple iphone Os

Thu, 31 Jul 2025 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 30 Jul 2025 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple ios
Apple ipados
Apple macos
Apple macos Sequoia
Apple tvos
Apple visionos
Vendors & Products Apple
Apple ios
Apple ipados
Apple macos
Apple macos Sequoia
Apple tvos
Apple visionos

Wed, 30 Jul 2025 00:15:00 +0000

Type Values Removed Values Added
Description An out-of-bounds access issue was addressed with improved bounds checking. This issue is fixed in visionOS 2.6, tvOS 18.6, macOS Sequoia 15.6, iOS 18.6 and iPadOS 18.6. Processing a maliciously crafted media file may lead to unexpected app termination or corrupt process memory. An out-of-bounds access issue was addressed with improved bounds checking. This issue is fixed in macOS Sequoia 15.6, iOS 18.6 and iPadOS 18.6, visionOS 2.6, tvOS 18.6. Processing a maliciously crafted media file may lead to unexpected app termination or corrupt process memory.

Tue, 29 Jul 2025 23:45:00 +0000

Type Values Removed Values Added
Description An out-of-bounds access issue was addressed with improved bounds checking. This issue is fixed in visionOS 2.6, tvOS 18.6, macOS Sequoia 15.6, iOS 18.6 and iPadOS 18.6. Processing a maliciously crafted media file may lead to unexpected app termination or corrupt process memory.
References

Subscriptions

Apple Ios Ipados Iphone Os Macos Macos Sequoia Tvos Visionos
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:23:07.980Z

Reserved: 2025-04-16T15:24:37.090Z

Link: CVE-2025-43221

cve-icon Vulnrichment

Updated: 2025-11-03T20:01:09.266Z

cve-icon NVD

Status : Modified

Published: 2025-07-30T00:15:34.160

Modified: 2026-04-02T19:20:07.630

Link: CVE-2025-43221

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T01:00:10Z

Weaknesses