Description
The issue was addressed by adding additional logic. This issue is fixed in iOS 18.7.2 and iPadOS 18.7.2, iOS 26.1 and iPadOS 26.1, macOS Sequoia 15.7.2, macOS Tahoe 26.1, visionOS 26.1, watchOS 26.1. Remote content may be loaded even when the 'Load Remote Images' setting is turned off.
Published: 2025-11-04
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Data Leakage
Action: Immediate Patch
AI Analysis

Impact

A logic flaw in Apple’s operating systems causes remote images to be fetched even when the user has disabled the ‘Load Remote Images’ setting. This bypasses the expected privacy control and is classified as CWE‑359. The vulnerability enables unintended disclosure of user information or tracking vectors, compromising confidentiality while not delivering direct code execution.

Affected Systems

All Apple platforms running versions prior to the fixes are exposed. This includes iOS versions earlier than 18.7.2 and 26.1, iPadOS versions earlier than 18.7.2 and 26.1, macOS Sequoia versions earlier than 15.7.2 and Tahoe versions earlier than 26.1, and visionOS and watchOS versions earlier than 26.1.

Risk and Exploitability

The CVSS score of 7.5 indicates a Medium‑High severity, while the EPSS score of less than 1% suggests exploitation is currently unlikely. The vulnerability is not listed in CISA’s KEV catalog. Likely attack vectors involve the delivery of malicious or deceptive content—such as compromised apps, phishing websites, or e‑mails—that references remote images. The flaw would function locally or remotely wherever the attacker can influence content, thereby presenting a privacy threat rather than a system‑wide denial of service or code execution risk.

Generated by OpenCVE AI on April 28, 2026 at 10:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update iOS to 18.7.2 or 26.1, iPadOS to 18.7.2 or 26.1, macOS Sequoia to 15.7.2 or Tahoe to 26.1, visionOS to 26.1, or watchOS to 26.1
  • Enable automatic software updates on all devices to ensure future patches are installed promptly
  • If updates cannot be applied immediately, temporarily limit network access to untrusted content sources—such as disabling cellular data for new apps or blocking known malicious domains using a firewall or DNS filtering—until the patch is available
  • Use a mobile device management solution to enforce update compliance and monitor device inventory for older OS versions

Generated by OpenCVE AI on April 28, 2026 at 10:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 10:45:00 +0000

Type Values Removed Values Added
Title Remote Images Load Despite User Setting Disabled – iOS and macOS Vulnerability

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description The issue was addressed by adding additional logic. This issue is fixed in watchOS 26.1, macOS Tahoe 26.1, iOS 26.1 and iPadOS 26.1, iOS 18.7.2 and iPadOS 18.7.2, macOS Sequoia 15.7.2, visionOS 26.1. Remote content may be loaded even when the 'Load Remote Images' setting is turned off. The issue was addressed by adding additional logic. This issue is fixed in iOS 18.7.2 and iPadOS 18.7.2, iOS 26.1 and iPadOS 26.1, macOS Sequoia 15.7.2, macOS Tahoe 26.1, visionOS 26.1, watchOS 26.1. Remote content may be loaded even when the 'Load Remote Images' setting is turned off.

Wed, 17 Dec 2025 21:00:00 +0000

Type Values Removed Values Added
Description The issue was addressed by adding additional logic. This issue is fixed in iOS 18.7.2 and iPadOS 18.7.2. Remote content may be loaded even when the 'Load Remote Images' setting is turned off. The issue was addressed by adding additional logic. This issue is fixed in watchOS 26.1, macOS Tahoe 26.1, iOS 26.1 and iPadOS 26.1, iOS 18.7.2 and iPadOS 18.7.2, macOS Sequoia 15.7.2, visionOS 26.1. Remote content may be loaded even when the 'Load Remote Images' setting is turned off.
References

Wed, 05 Nov 2025 19:30:00 +0000

Type Values Removed Values Added
References

Wed, 05 Nov 2025 18:45:00 +0000

Type Values Removed Values Added
Description The issue was addressed by adding additional logic. This issue is fixed in watchOS 26.1, iOS 26.1 and iPadOS 26.1, macOS Sequoia 15.7.2, visionOS 26.1. Remote content may be loaded even when the 'Load Remote Images' setting is turned off. The issue was addressed by adding additional logic. This issue is fixed in iOS 18.7.2 and iPadOS 18.7.2. Remote content may be loaded even when the 'Load Remote Images' setting is turned off.
References

Tue, 04 Nov 2025 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Apple ipados
Apple iphone Os
CPEs cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:visionos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:*
Vendors & Products Apple ipados
Apple iphone Os

Tue, 04 Nov 2025 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple ios
Apple ipad Os
Apple macos
Apple visionos
Apple watchos
Vendors & Products Apple
Apple ios
Apple ipad Os
Apple macos
Apple visionos
Apple watchos

Tue, 04 Nov 2025 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-359
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 04 Nov 2025 01:45:00 +0000

Type Values Removed Values Added
Description The issue was addressed by adding additional logic. This issue is fixed in watchOS 26.1, iOS 26.1 and iPadOS 26.1, macOS Sequoia 15.7.2, visionOS 26.1. Remote content may be loaded even when the 'Load Remote Images' setting is turned off.
References

Subscriptions

Apple Ios Ipad Os Ipados Iphone Os Macos Visionos Watchos
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:17:21.553Z

Reserved: 2025-04-16T15:27:21.191Z

Link: CVE-2025-43496

cve-icon Vulnrichment

Updated: 2025-11-04T15:32:03.760Z

cve-icon NVD

Status : Modified

Published: 2025-11-04T02:15:52.783

Modified: 2026-04-02T19:20:54.813

Link: CVE-2025-43496

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T10:30:29Z

Weaknesses