Description
An out-of-bounds access issue was addressed with improved bounds checking. This issue is fixed in iOS 18.7.2 and iPadOS 18.7.2, iOS 26.1 and iPadOS 26.1, macOS Sequoia 15.7.2, macOS Tahoe 26.1, tvOS 26.1, visionOS 26.1. Processing a maliciously crafted media file may lead to unexpected app termination or corrupt process memory.
Published: 2025-11-04
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Application crash or memory corruption from out‑of‑bounds media file parsing
Action: Patch Immediately
AI Analysis

Impact

An out-of-bounds access flaw exists in the media file processing components of several Apple operating systems. When a specially crafted media file is processed, the system can experience unexpected app termination or corruption of process memory. The flaw is a buffer over-read (CWE‑125), which may allow an attacker to influence the stability of the affected application.

Affected Systems

Affected systems include Apple iOS and iPadOS (vulnerable before 18.7.2 and 26.1), macOS Sequoia 15.7.2 and macOS Tahoe 26.1, as well as tvOS 26.1 and visionOS 26.1. All affected versions have been fixed in the listed releases.

Risk and Exploitability

The CVSS score of 4.3 indicates a low‑to‑moderate severity, and the EPSS score of less than 1% suggests a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalogue. The most likely attack vector is a local or remote user delivering a malicious media file that is opened by any application capable of processing that file type. If exploited, an attacker could cause application crashes or destabilize the process memory of the victim device.

Generated by OpenCVE AI on April 28, 2026 at 10:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update all Apple operating systems to the latest available patch, ensuring that iOS 18.7.2 / iPadOS 18.7.2, macOS Sequoia 15.7.2 / macOS Tahoe 26.1, tvOS 26.1, and visionOS 26.1 are installed.
  • If a patch is not immediately available, disable or restrict automatic playback of media files from untrusted sources and use device or network controls to quarantine potentially malicious media content.
  • Apply the latest security updates for all third‑party applications that handle media files to ensure they are not exposed to the vulnerability.

Generated by OpenCVE AI on April 28, 2026 at 10:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 11:00:00 +0000

Type Values Removed Values Added
Title Out‑of‑bounds media file parsing can crash apps or corrupt memory

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description An out-of-bounds access issue was addressed with improved bounds checking. This issue is fixed in tvOS 26.1, macOS Tahoe 26.1, iOS 26.1 and iPadOS 26.1, iOS 18.7.2 and iPadOS 18.7.2, macOS Sequoia 15.7.2, visionOS 26.1. Processing a maliciously crafted media file may lead to unexpected app termination or corrupt process memory. An out-of-bounds access issue was addressed with improved bounds checking. This issue is fixed in iOS 18.7.2 and iPadOS 18.7.2, iOS 26.1 and iPadOS 26.1, macOS Sequoia 15.7.2, macOS Tahoe 26.1, tvOS 26.1, visionOS 26.1. Processing a maliciously crafted media file may lead to unexpected app termination or corrupt process memory.

Wed, 17 Dec 2025 21:00:00 +0000

Type Values Removed Values Added
Description An out-of-bounds access issue was addressed with improved bounds checking. This issue is fixed in iOS 18.7.2 and iPadOS 18.7.2. Processing a maliciously crafted media file may lead to unexpected app termination or corrupt process memory. An out-of-bounds access issue was addressed with improved bounds checking. This issue is fixed in tvOS 26.1, macOS Tahoe 26.1, iOS 26.1 and iPadOS 26.1, iOS 18.7.2 and iPadOS 18.7.2, macOS Sequoia 15.7.2, visionOS 26.1. Processing a maliciously crafted media file may lead to unexpected app termination or corrupt process memory.
References

Wed, 05 Nov 2025 19:30:00 +0000

Type Values Removed Values Added
References

Wed, 05 Nov 2025 18:45:00 +0000

Type Values Removed Values Added
Description An out-of-bounds access issue was addressed with improved bounds checking. This issue is fixed in iOS 26.1 and iPadOS 26.1, tvOS 26.1, visionOS 26.1, macOS Sequoia 15.7.2. Processing a maliciously crafted media file may lead to unexpected app termination or corrupt process memory. An out-of-bounds access issue was addressed with improved bounds checking. This issue is fixed in iOS 18.7.2 and iPadOS 18.7.2. Processing a maliciously crafted media file may lead to unexpected app termination or corrupt process memory.
References

Tue, 04 Nov 2025 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple ios
Apple ipados
Apple iphone Os
Apple macos
Apple tvos
Apple visionos
CPEs cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:visionos:*:*:*:*:*:*:*:*
Vendors & Products Apple
Apple ios
Apple ipados
Apple iphone Os
Apple macos
Apple tvos
Apple visionos

Tue, 04 Nov 2025 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 04 Nov 2025 01:45:00 +0000

Type Values Removed Values Added
Description An out-of-bounds access issue was addressed with improved bounds checking. This issue is fixed in iOS 26.1 and iPadOS 26.1, tvOS 26.1, visionOS 26.1, macOS Sequoia 15.7.2. Processing a maliciously crafted media file may lead to unexpected app termination or corrupt process memory.
References

Subscriptions

Apple Ios Ipados Iphone Os Macos Tvos Visionos
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:10:24.479Z

Reserved: 2025-04-16T15:24:37.116Z

Link: CVE-2025-43384

cve-icon Vulnrichment

Updated: 2025-11-04T13:38:48.715Z

cve-icon NVD

Status : Modified

Published: 2025-11-04T02:15:45.387

Modified: 2026-04-02T19:20:37.370

Link: CVE-2025-43384

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T10:45:29Z

Weaknesses