Description
A logic issue was addressed with improved checks. This issue is fixed in iOS 26.2 and iPadOS 26.2, macOS Sequoia 15.7.3, macOS Sonoma 14.8.3, macOS Tahoe 26.2, watchOS 26.2. An app may be able to inappropriately access files through the spellcheck API.
Published: 2025-12-12
Score: 3.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Inappropriate file access
Action: Apply Update
AI Analysis

Impact

A logic issue in the spellcheck API allows an application to access files that it should not normally be able to reach. The flaw is an improper access control weakness, identified as CWE‑284, and the default CVSS score of 3.3 indicates a low severity vulnerability. The available description does not specify the breadth of potential data compromise, but the mechanics could lead to unauthorized reading of local files, affecting confidentiality.

Affected Systems

Apple iOS 26.2 and iPadOS 26.2, macOS Sequoia 15.7.3, macOS Sonoma 14.8.3, macOS Tahoe 26.2, and watchOS 26.2 are affected by this issue.

Risk and Exploitability

The CVSS score is 3.3 and the EPSS score is less than 1%, meaning exploitation is considered unlikely. The vulnerability is not catalogued in the CISA KEV list. The attack vector is inferred to be via a local or system application that interacts with the spellcheck API; the description does not explicitly mention remote exploitation. Consequently, the risk to affected systems remains low, although an attacker with the ability to install or run an application on the device could exploit the flaw to read restricted files.

Generated by OpenCVE AI on April 22, 2026 at 20:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest firmware updates – iOS 26.2, iPadOS 26.2, macOS Sequoia 15.7.3, macOS Sonoma 14.8.3, macOS Tahoe 26.2, or watchOS 26.2 – to receive the fix for the spellcheck API logic issue.
  • Reboot the device after applying the update to ensure that the new rules are enforced throughout the system.
  • If an immediate update is not feasible, observe Apple’s security advisories for a future release and, meanwhile, limit or revoke privileges for applications that rely on the spellcheck API to prevent unauthorized file access.

Generated by OpenCVE AI on April 22, 2026 at 20:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
Title Inappropriate File Access via Spellcheck API

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description A logic issue was addressed with improved checks. This issue is fixed in watchOS 26.2, macOS Sonoma 14.8.3, macOS Tahoe 26.2, iOS 26.2 and iPadOS 26.2, macOS Sequoia 15.7.3. An app may be able to inappropriately access files through the spellcheck API. A logic issue was addressed with improved checks. This issue is fixed in iOS 26.2 and iPadOS 26.2, macOS Sequoia 15.7.3, macOS Sonoma 14.8.3, macOS Tahoe 26.2, watchOS 26.2. An app may be able to inappropriately access files through the spellcheck API.

Wed, 17 Dec 2025 21:00:00 +0000

Type Values Removed Values Added
Description A logic issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14.8.3, macOS Sequoia 15.7.3. An app may be able to inappropriately access files through the spellcheck API. A logic issue was addressed with improved checks. This issue is fixed in watchOS 26.2, macOS Sonoma 14.8.3, macOS Tahoe 26.2, iOS 26.2 and iPadOS 26.2, macOS Sequoia 15.7.3. An app may be able to inappropriately access files through the spellcheck API.
References

Mon, 15 Dec 2025 20:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*

Mon, 15 Dec 2025 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
Metrics cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 14 Dec 2025 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Apple macos Sequoia
Apple macos Sonoma
Vendors & Products Apple
Apple macos
Apple macos Sequoia
Apple macos Sonoma

Fri, 12 Dec 2025 21:15:00 +0000

Type Values Removed Values Added
Description A logic issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14.8.3, macOS Sequoia 15.7.3. An app may be able to inappropriately access files through the spellcheck API.
References

Subscriptions

Apple Macos Macos Sequoia Macos Sonoma
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:27:11.863Z

Reserved: 2025-04-16T15:27:21.196Z

Link: CVE-2025-43518

cve-icon Vulnrichment

Updated: 2025-12-15T19:23:22.157Z

cve-icon NVD

Status : Modified

Published: 2025-12-12T21:15:56.630

Modified: 2026-04-02T19:20:58.720

Link: CVE-2025-43518

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T20:45:27Z

Weaknesses