CVE-2025-43349 - Vulnerability Details

- Out-of-Bounds Write in Video File Parsing Leading to App Termination

Description

An out-of-bounds write issue was addressed with improved input validation. This issue is fixed in iOS 18.7 and iPadOS 18.7, iOS 26 and iPadOS 26, macOS Sequoia 15.7, macOS Sonoma 14.8, macOS Tahoe 26, tvOS 26, visionOS 26, watchOS 26. Processing a maliciously crafted video file may lead to unexpected app termination.

Published: 2025-09-15

Score: 2.8 Low

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An out-of-bounds write flaw was discovered in the processing of video files, resulting in improper bounds checking that can corrupt memory. The resulting crash causes the application or system to terminate unexpectedly, effectively providing a denial‑of‑service condition to the user. The weakness is catalogued as CWE‑787 and is not associated with information disclosure or code execution.

Affected Systems

The flaw affects Apple operating systems across multiple device families, including iOS 18.7, iPadOS 18.7, iOS 26, iPadOS 26, macOS Sequoia 15.7, macOS Sonoma 14.8, macOS Tahoe 26, tvOS 26, visionOS 26, and watchOS 26. Devices running earlier or unpatched versions are vulnerable until a patch is applied.

Risk and Exploitability

The CVSS score of 2.8 indicates low severity, and the EPSS score of under 1 % reflects a very low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. The most likely attack vector involves a victim opening or viewing a maliciously crafted video file locally on the device. No remote exploitation method is documented in the supplied description.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Apple

iOS and iPadOS

affected

Version	Status	Constraints
`0`	affected	< 18.7
`0`	affected	< 26

Apple

macOS

affected

Version	Status	Constraints
`0`	affected	< 14.8
`0`	affected	< 15.7
`0`	affected	< 26

Apple

tvOS

affected

Version	Status	Constraints
`0`	affected	< 26

Apple

visionOS

affected

Version	Status	Constraints
`0`	affected	< 26

Apple

watchOS

affected

Version	Status	Constraints
`0`	affected	< 26

Configuration 1 [-]

OR	cpe:2.3:o:apple:ipados::::::::
	cpe:2.3:o:apple:iphone_os::::::::
	cpe:2.3:o:apple:macos::::::::
	cpe:2.3:o:apple:macos::::::::
	cpe:2.3:o:apple:tvos::::::::
	cpe:2.3:o:apple:visionos::::::::
	cpe:2.3:o:apple:watchos::::::::

No data.

Vendor	Product	Confidence	Versions
Apple	Ios	—	—
Apple	Ipados	—	—
Apple	Macos	—	—
Apple	Macos Sequoia	—	—
Apple	Macos Sonoma	—	—
Apple	Macos Tahoe	—	—
Apple	Tvos	—	—
Apple	Visionos	—	—
Apple	Watchos	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest OS updates for iOS, iPadOS, macOS, tvOS, visionOS, and watchOS, including the 18.7/26, 15.7/14.8/26, 26, and 26 releases that contain the fix.
Configure the device to automatically receive and install over‑the‑air (OTA) updates to reduce the window of exposure.
Avoid opening video files from untrusted or unknown sources until a patch is installed, and consider restricting playback of externally supplied video content while awaiting the update.

Generated by OpenCVE AI on April 27, 2026 at 23:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-29273	An out-of-bounds write issue was addressed with improved input validation. This issue is fixed in tvOS 26, macOS Sonoma 14.8, macOS Sequoia 15.7, iOS 18.7 and iPadOS 18.7, visionOS 26, watchOS 26, macOS Tahoe 26, iOS 26 and iPadOS 26. Processing a maliciously crafted video file may lead to unexpected app termination.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00016.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
http://seclists.org/fulldisclosure/2025/Sep/49
http://seclists.org/fulldisclosure/2025/Sep/53
http://seclists.org/fulldisclosure/2025/Sep/54
http://seclists.org/fulldisclosure/2025/Sep/55
http://seclists.org/fulldisclosure/2025/Sep/56
http://seclists.org/fulldisclosure/2025/Sep/57
http://seclists.org/fulldisclosure/2025/Sep/58
https://support.apple.com/en-us/125108
https://support.apple.com/en-us/125109
https://support.apple.com/en-us/125110
https://support.apple.com/en-us/125111
https://support.apple.com/en-us/125112
https://support.apple.com/en-us/125114
https://support.apple.com/en-us/125115
https://support.apple.com/en-us/125116

History

Tue, 28 Apr 2026 00:15:00 +0000

Type	Values Removed	Values Added
Title		Out-of-Bounds Write in Video File Parsing Leading to App Termination

Thu, 02 Apr 2026 20:30:00 +0000

Type	Values Removed	Values Added
Description	An out-of-bounds write issue was addressed with improved input validation. This issue is fixed in tvOS 26, watchOS 26, macOS Sonoma 14.8, iOS 26 and iPadOS 26, macOS Sequoia 15.7, visionOS 26, iOS 18.7 and iPadOS 18.7. Processing a maliciously crafted video file may lead to unexpected app termination.	An out-of-bounds write issue was addressed with improved input validation. This issue is fixed in iOS 18.7 and iPadOS 18.7, iOS 26 and iPadOS 26, macOS Sequoia 15.7, macOS Sonoma 14.8, macOS Tahoe 26, tvOS 26, visionOS 26, watchOS 26. Processing a maliciously crafted video file may lead to unexpected app termination.
References		https://support.apple.com/en-us/125110

Sat, 28 Feb 2026 04:15:00 +0000

Type	Values Removed	Values Added
Metrics	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 04 Nov 2025 02:30:00 +0000

Type	Values Removed	Values Added
References	https://support.apple.com/en-us/125110

Tue, 04 Nov 2025 01:45:00 +0000

Type	Values Removed	Values Added
Description	An out-of-bounds write issue was addressed with improved input validation. This issue is fixed in tvOS 26, macOS Sonoma 14.8, macOS Sequoia 15.7, iOS 18.7 and iPadOS 18.7, visionOS 26, watchOS 26, macOS Tahoe 26, iOS 26 and iPadOS 26. Processing a maliciously crafted video file may lead to unexpected app termination.	An out-of-bounds write issue was addressed with improved input validation. This issue is fixed in tvOS 26, watchOS 26, macOS Sonoma 14.8, iOS 26 and iPadOS 26, macOS Sequoia 15.7, visionOS 26, iOS 18.7 and iPadOS 18.7. Processing a maliciously crafted video file may lead to unexpected app termination.

Mon, 03 Nov 2025 19:30:00 +0000

Type	Values Removed	Values Added
References		http://seclists.org/fulldisclosure/2025/Sep/49 http://seclists.org/fulldisclosure/2025/Sep/53 http://seclists.org/fulldisclosure/2025/Sep/54 http://seclists.org/fulldisclosure/2025/Sep/55 http://seclists.org/fulldisclosure/2025/Sep/56 http://seclists.org/fulldisclosure/2025/Sep/57 http://seclists.org/fulldisclosure/2025/Sep/58

Wed, 17 Sep 2025 14:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apple iphone Os
CPEs		cpe:2.3:o:apple:ipados:::::::: cpe:2.3:o:apple:iphone_os:::::::: cpe:2.3:o:apple:macos:::::::: cpe:2.3:o:apple:tvos:::::::: cpe:2.3:o:apple:visionos:::::::: cpe:2.3:o:apple:watchos::::::::
Vendors & Products		Apple iphone Os

Wed, 17 Sep 2025 11:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apple Apple ios Apple ipados Apple macos Apple macos Sequoia Apple macos Sonoma Apple macos Tahoe Apple tvos Apple visionos Apple watchos
Vendors & Products		Apple Apple ios Apple ipados Apple macos Apple macos Sequoia Apple macos Sonoma Apple macos Tahoe Apple tvos Apple visionos Apple watchos

Tue, 16 Sep 2025 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 16 Sep 2025 15:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-787
Metrics		cvssV3_1 `{'score': 2.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L'}`

Mon, 15 Sep 2025 22:45:00 +0000

Type	Values Removed	Values Added
Description		An out-of-bounds write issue was addressed with improved input validation. This issue is fixed in tvOS 26, macOS Sonoma 14.8, macOS Sequoia 15.7, iOS 18.7 and iPadOS 18.7, visionOS 26, watchOS 26, macOS Tahoe 26, iOS 26 and iPadOS 26. Processing a maliciously crafted video file may lead to unexpected app termination.
References		https://support.apple.com/en-us/125108 https://support.apple.com/en-us/125109 https://support.apple.com/en-us/125110 https://support.apple.com/en-us/125111 https://support.apple.com/en-us/125112 https://support.apple.com/en-us/125114 https://support.apple.com/en-us/125115 https://support.apple.com/en-us/125116

Subscriptions

Apple Ios Ipados Iphone Os Macos Macos Sequoia Macos Sonoma Macos Tahoe Tvos Visionos Watchos

MITRE

Status: PUBLISHED

Assigner: apple

Published: 2025-09-15T22:35:53.636Z

Updated: 2026-04-02T18:26:39.910Z

Reserved: 2025-04-16T15:24:37.111Z

Link: CVE-2025-43349

Vulnrichment

Updated: 2025-11-03T18:12:04.561Z

NVD

Status : Modified

Published: 2025-09-15T23:15:37.067

Modified: 2026-04-02T19:20:31.653

Link: CVE-2025-43349

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-28T00:00:18Z

Weaknesses

CWE-787

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object