A flaw in Apple’s media handling causes a process to terminate when parsing a maliciously crafted audio stream. The vulnerability arises from inadequate memory handling during stream processing, leading an attacker’s input to trigger a crash. The result is denial of service for the process involved, which could affect user applications or system services relying on media playback.

Apple iOS, iPadOS, macOS, tvOS, visionOS, and watchOS are impacted. The issue was resolved in iOS 18.7.9, iOS 26.5, iPadOS 18.7.9, iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, and watchOS 26.5. Older versions of these operating systems that have not received these updates remain vulnerable.

The flaw permits an attacker to cause a crash by presenting a specially crafted audio file; no direct exploitation of code execution, data disclosure or privilege escalation is described. Because the vulnerability is limited to process termination, the impact is primarily availability. The CVSS score of 4.3 indicates moderate severity, and the EPSS score of <1% suggests a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog, so the overall likelihood remains uncertain but a crash can disrupt critical services if an attacker can supply the file. The attack vector is likely local or remote through the ability to inject the media file into a target device.