Apple routinely compiles and shares information about fixed vulnerabilities for its devices, including iPhones, iPads, and Macs, following each software release. In line with this, the company has provided a detailed list of security updates included in the latest iOS 18.3 and macOS Sequoia 15.3 updates. As always, we advise users to perform updates promptly to safeguard their devices against potential security threats.
The following vulnerabilities have been addressed today for iPhone, iPad, and Mac:
Accessibility
Applicable to: iPhone XS and newer, iPad Pro 13-inch, iPad Pro 12.9-inch (3rd gen) and newer, iPad Pro 11-inch (1st gen) and newer, iPad Air (3rd gen) and newer, iPad (7th gen) and newer, iPad mini (5th gen) and newer
Possible impact: An attacker with physical access to an unlocked device could potentially view Photos even while the app is locked.
Issue description: An authentication issue was resolved through enhanced state management.
CVE-2025-24141: Reported by Abhay Kailasia (@abhay_kailasia) from C-DAC Thiruvananthapuram, India
AirPlay
Applicable to: iPhone XS and newer, iPad Pro 13-inch, iPad Pro 12.9-inch (3rd gen) and newer, iPad Pro 11-inch (1st gen) and newer, iPad Air (3rd gen) and newer, iPad (7th gen) and newer, iPad mini (5th gen) and newer
Possible impact: An attacker on the local network may instigate unexpected system shutdowns or interfere with process memory.
Issue description: The situation arose from an input validation flaw, which has since been addressed.
CVE-2025-24126: Reported by Uri Katz (Oligo Security)
AirPlay
Applicable to: iPhone XS and newer, iPad Pro 13-inch, iPad Pro 12.9-inch (3rd gen) and newer, iPad Pro 11-inch (1st gen) and newer, iPad Air (3rd gen) and newer, iPad (7th gen) and newer, iPad mini (5th gen) and newer
Possible impact: A remote attacker might trigger unexpected app closures.
Issue description: Enhanced checks were implemented to rectify a type confusion issue.
CVE-2025-24129: Reported by Uri Katz (Oligo Security)
AirPlay
Applicable to: iPhone XS and newer, iPad Pro 13-inch, iPad Pro 12.9-inch (3rd gen) and newer, iPad Pro 11-inch (1st gen) and newer, iPad Air (3rd gen) and newer, iPad (7th gen) and newer, iPad mini (5th gen) and newer
Possible impact: A privileged attacker could execute a denial-of-service attack.
Issue description: Improvements were made to memory handling to resolve this problem.
CVE-2025-24131: Reported by Uri Katz (Oligo Security)
AirPlay
Applicable to: iPhone XS and newer, iPad Pro 13-inch, iPad Pro 12.9-inch (3rd gen) and newer, iPad Pro 11-inch (1st gen) and newer, iPad Air (3rd gen) and newer, iPad (7th gen) and newer, iPad mini (5th gen) and newer
Possible impact: A remote attacker might facilitate a denial-of-service scenario.
Issue description: A null pointer dereference issue has been resolved with improved input validation.
CVE-2025-24177: Reported by Uri Katz (Oligo Security)
AirPlay
Applicable to: iPhone XS and newer, iPad Pro 13-inch, iPad Pro 12.9-inch (3rd gen) and newer, iPad Pro 11-inch (1st gen) and newer, iPad Air (3rd gen) and newer, iPad (7th gen) and newer, iPad mini (5th gen) and newer
Possible impact: An unexpected application closure or arbitrary code execution may result from remote attacks.
Issue description: The resolution involves improved checks to address a type confusion issue.
CVE-2025-24137: Reported by Uri Katz (Oligo Security)
ARKit
Applicable to: iPhone XS and newer, iPad Pro 13-inch, iPad Pro 12.9-inch (3rd gen) and newer, iPad Pro 11-inch (1st gen) and newer, iPad Air (3rd gen) and newer, iPad (7th gen) and newer, iPad mini (5th gen) and newer
Possible impact: File processing might result in app crashes.
Issue description: The resolution is through improved checks.
CVE-2025-24127: Reported by Minghao Lin (@Y1nKoc), babywu, and Xingwei Lin of Zhejiang University
CoreAudio
Applicable to: iPhone XS and newer, iPad Pro 13-inch, iPad Pro 12.9-inch (3rd gen) and newer, iPad Pro 11-inch (1st gen) and newer, iPad Air (3rd gen) and newer, iPad (7th gen) and newer, iPad mini (5th gen) and newer
Possible impact: File processing may result in unexpected app terminations.
Issue description: This flaw has been addressed with improved checks.
CVE-2025-24160: Google Threat Analysis Group
CVE-2025-24161: Google Threat Analysis Group
CVE-2025-24163: Google Threat Analysis Group
CoreMedia
Applicable to: iPhone XS and newer, iPad Pro 13-inch, iPad Pro 12.9-inch (3rd gen) and newer, iPad Pro 11-inch (1st gen) and newer, iPad Air (3rd gen) and newer, iPad (7th gen) and newer, iPad mini (5th gen) and newer
Possible impact: File parsing could lead to app crashes.
Issue description: This issue has been remedied with enhanced checks.
CVE-2025-24123: Desmond working with Trend Micro Zero Day Initiative
CVE-2025-24124: Pwn2car & Rotiple (HyeongSeok Jang) working with Trend Micro Zero Day Initiative
CoreMedia
Applicable to: iPhone XS and newer, iPad Pro 13-inch, iPad Pro 12.9-inch (3rd gen) and newer, iPad Pro 11-inch (1st gen) and newer, iPad Air (3rd gen) and newer, iPad (7th gen) and newer, iPad mini (5th gen) and newer
Possible impact: Malicious apps may gain elevated privileges. Apple acknowledges that there may have been active exploitation against versions prior to iOS 17.2.
Issue description: A use-after-free vulnerability was resolved with improved memory management.
CVE-2025-24085
ImageIO
Applicable to: iPhone XS and newer, iPad Pro 13-inch, iPad Pro 12.9-inch (3rd gen) and newer, iPad Pro 11-inch (1st gen) and newer, iPad Air (3rd gen) and newer, iPad (7th gen) and newer, iPad mini (5th gen) and newer
Possible impact: Handling images could lead to denial-of-service scenarios.
Issue description: This situation has been resolved through improved memory management.
CVE-2025-24086: DongJun Kim (@smlijun) and JongSeong Kim (@nevul37) in Enki WhiteHat, D4m0n
Kernel
Applicable to: iPhone XS and newer, iPad Pro 13-inch, iPad Pro 12.9-inch (3rd gen) and newer, iPad Pro 11-inch (1st gen) and newer, iPad Air (3rd gen) and newer, iPad (7th gen) and newer, iPad mini (5th gen) and newer
Possible impact: A malicious app might gain root access.
Issue description: This issue has been addressed by implementing additional restrictions.
CVE-2025-24107: an anonymous researcher
Kernel
Applicable to: iPhone XS and newer, iPad Pro 13-inch, iPad Pro 12.9-inch (3rd gen) and newer, iPad Pro 11-inch (1st gen) and newer, iPad Air (3rd gen) and newer, iPad (7th gen) and newer, iPad mini (5th gen) and newer
Possible impact: An app might execute arbitrary code with kernel privileges.
Issue description: Addressed a validation issue with enhanced logic.
CVE-2025-24159: pattern-f (@pattern_F_)
LaunchServices
Applicable to: iPhone XS and newer, iPad Pro 13-inch, iPad Pro 12.9-inch (3rd gen) and newer, iPad Pro 11-inch (1st gen) and newer, iPad Air (3rd gen) and newer, iPad (7th gen) and newer, iPad mini (5th gen) and newer
Possible impact: An app could potentially fingerprint the user.
Issue description: This vulnerability was tackled with improved redaction of sensitive information.
CVE-2025-24117: Michael (Biscuit) Thomas (@[email protected])
libxslt
Applicable to: iPhone XS and newer, iPad Pro 13-inch, iPad Pro 12.9-inch (3rd gen) and newer, iPad Pro 11-inch (1st gen) and newer, iPad Air (3rd gen) and newer, iPad (7th gen) and newer, iPad mini (5th gen) and newer
Possible impact: Handling malicious web content could crash the process unexpectedly.
Issue description: This concern was managed through improved state controls.
CVE-2025-24166: Ivan Fratric of Google Project Zero
Managed Configuration
Applicable to: iPhone XS and newer, iPad Pro 13-inch, iPad Pro 12.9-inch (3rd gen) and newer, iPad Pro 11-inch (1st gen) and newer, iPad Air (3rd gen) and newer, iPad (7th gen) and newer, iPad mini (5th gen) and newer
Possible impact: Restoring a hostile backup could alter system files.
Issue description: Enhanced symlink handling has resolved this issue.
CVE-2025-24104: Hichem Maloufi, Hakim Boukhadra
Passkeys
Applicable to: iPhone XS and newer, iPad Pro 13-inch, iPad Pro 12.9-inch (3rd gen) and newer, iPad Pro 11-inch (1st gen) and newer, iPad Air (3rd gen) and newer, iPad (7th gen) and newer, iPad mini (5th gen) and newer
Possible impact: An app could gain unapproved Bluetooth access.
Issue description: This vulnerability exists in an open-source code, with the CVE-ID assigned by an external party. More information on this issue and CVE-ID can be found at cve.org.
CVE-2024-9956: mastersplinter
Safari
Applicable to: iPhone XS and newer, iPad Pro 13-inch, iPad Pro 12.9-inch (3rd gen) and newer, iPad Pro 11-inch (1st gen) and newer, iPad Air (3rd gen) and newer, iPad (7th gen) and newer, iPad mini (5th gen) and newer
Possible impact: Visiting a malicious site might lead to address bar spoofing.
Issue description: This issue has been mitigated by adding extra logic.
CVE-2025-24128: @RenwaX23
Safari
Applicable to: iPhone XS and newer, iPad Pro 13-inch, iPad Pro 12.9-inch (3rd gen) and newer, iPad Pro 11-inch (1st gen) and newer, iPad Air (3rd gen) and newer, iPad (7th gen) and newer, iPad mini (5th gen) and newer
Possible impact: Accessing a malicious website could lead to a user interface spoofing.
Issue description: Improvements were made to the UI to rectify this issue.
CVE-2025-24113: @RenwaX23
SceneKit
Applicable to: iPhone XS and newer, iPad Pro 13-inch, iPad Pro 12.9-inch (3rd gen) and newer, iPad Pro 11-inch (1st gen) and newer, iPad Air (3rd gen) and newer, iPad (7th gen) and newer, iPad mini (5th gen) and newer
Possible impact: File parsing could lead to unauthorized user information disclosure.
Issue description: An out-of-bounds read situation was resolved through stricter bounds checking.
CVE-2025-24149: Michael DePlante (@izobashi) of Trend Micro Zero Day Initiative
Time Zone
Applicable to: iPhone XS and newer, iPad Pro 13-inch, iPad Pro 12.9-inch (3rd gen) and newer, iPad Pro 11-inch (1st gen) and newer, iPad Air (3rd gen) and newer, iPad (7th gen) and newer, iPad mini (5th gen) and newer
Possible impact: An app may be able to view a contact’s phone number logged in system records.
Issue description: A privacy concern was addressed with better data redaction for log entries.
CVE-2025-24145: Kirin (@Pwnrin)
WebContentFilter
Applicable to: iPhone XS and newer, iPad Pro 13-inch, iPad Pro 12.9-inch (3rd gen) and newer, iPad Pro 11-inch (1st gen) and newer, iPad Air (3rd gen) and newer, iPad (7th gen) and newer, iPad mini (5th gen) and newer
Possible impact: An attacker could instigate an unexpected system shutdown or corrupt kernel memory.
Issue description: An out-of-bounds write vulnerability was resolved with enhanced input validation.
CVE-2025-24154: an anonymous researcher
WebKit
Applicable to: iPhone XS and newer, iPad Pro 13-inch, iPad Pro 12.9-inch (3rd gen) and newer, iPad Pro 11-inch (1st gen) and newer, iPad Air (3rd gen) and newer, iPad (7th gen) and newer, iPad mini (5th gen) and newer
Possible impact: A malicious webpage could potentially fingerprint the user.
Issue description: This issue was addressed with improved file access restrictions.
WebKit Bugzilla: 283117
CVE-2025-24143: an anonymous researcher
WebKit
Applicable to: iPhone XS and newer, iPad Pro 13-inch, iPad Pro 12.9-inch (3rd gen) and newer, iPad Pro 11-inch (1st gen) and newer, iPad Air (3rd gen) and newer, iPad (7th gen) and newer, iPad mini (5th gen) and newer
Possible impact: Processing web content could trigger a denial-of-service.
Issue description: This issue has been remedied with better memory management.
WebKit Bugzilla: 283889
CVE-2025-24158: Q1IQ (@q1iqF) of NUS CuriOSity and P1umer (@p1umer) of Imperial Global Singapore.
WebKit
Applicable to: iPhone XS and newer, iPad Pro 13-inch, iPad Pro 12.9-inch (3rd gen) and newer, iPad Pro 11-inch (1st gen) and newer, iPad Air (3rd gen) and newer, iPad (7th gen) and newer, iPad mini (5th gen) and newer
Possible impact: Maliciously crafted web content can trigger unexpected app crashes.
Issue description: This concern was addressed through enhanced state controls.
WebKit Bugzilla: 284159
CVE-2025-24162: linjy of HKUS3Lab and chluo of WHUSecLab
WebKit Web Inspector
Applicable to: iPhone XS and newer, iPad Pro 13-inch, iPad Pro 12.9-inch (3rd gen) and newer, iPad Pro 11-inch (1st gen) and newer, iPad Air (3rd gen) and newer, iPad (7th gen) and newer, iPad mini (5th gen) and newer
Possible impact: Copying a URL from Web Inspector could lead to command injection.
Issue description: A privacy issue was resolved with improved file handling.
WebKit Bugzilla: 283718
CVE-2025-24150: Johan Carlsson (joaxcar)
AirPlay
Applicable to: macOS Sequoia
Possible impact: An attacker on the local network may be able to cause unexpected system termination or corrupt process memory.
Issue description: An input validation flaw was resolved.
CVE-2025-24126: Uri Katz (Oligo Security)
AirPlay
Applicable to: macOS Sequoia
Possible impact: An unexpected app termination could occur due to a remote attack.
Issue description: This was addressed by resolving a type confusion issue with enhanced checks.
CVE-2025-24129: Uri Katz (Oligo Security)
AirPlay
Applicable to: macOS Sequoia
Possible impact: A denial-of-service could be executed by a privileged attacker.
Issue description: This concern has been tackled with improved memory handling.
CVE-2025-24131: Uri Katz (Oligo Security)
AirPlay
Applicable to: macOS Sequoia
Possible impact: A remote attacker might cause a denial-of-service.
Issue description: A null pointer dereference has been resolved with improved input validation.
CVE-2025-24177: Uri Katz (Oligo Security)
AirPlay
Applicable to: macOS Sequoia
Possible impact: An unexpected application termination or arbitrary code execution could result from a remote attack.
Issue description: This type confusion issue has been addressed with enhanced checks.
CVE-2025-24137: Uri Katz (Oligo Security)
AppKit
Applicable to: macOS Sequoia
Possible impact: An app may gain access to protected user data.
Issue description: Additional permissions checks have resolved this issue.
CVE-2025-24087: Mickey Jin (@patch1t)
AppleGraphicsControl
Applicable to: macOS Sequoia
Possible impact: File parsing may unexpectedly terminate the app.
Issue description: This situation has been addressed with improved checks.
CVE-2025-24112: D4m0n
AppleMobileFileIntegrity
Applicable to: macOS Sequoia
Possible impact: An app might access user contact information.
Issue description: Improved restrictions have resolved a logic issue.
CVE-2025-24100: Kirin (@Pwnrin)
AppleMobileFileIntegrity
Applicable to: macOS Sequoia
Possible impact: Sensitive user data might be accessible by an app.
Issue description: A downgrade issue has been addressed with stricter code-signing rules.
CVE-2025-24109: Bohdan Stasiuk (@Bohdan_Stasiuk)
AppleMobileFileIntegrity
Applicable to: macOS Sequoia
Possible impact: An app could modify protected file system areas.
Issue description: Increased restrictions have resolved a permissions issue.
CVE-2025-24114: Mickey Jin (@patch1t)
AppleMobileFileIntegrity
Applicable to: macOS Sequoia
Possible impact: An app might alter protected sections of the file system.
Issue description: Enhanced checks address a logic issue.
CVE-2025-24121: Mickey Jin (@patch1t)
AppleMobileFileIntegrity
Applicable to: macOS Sequoia
Possible impact: Protected areas of the file system could be changed by an app.
Issue description: A downgrade issue affecting Intel-based Macs was resolved through stricter code-signing protocols.
CVE-2025-24122: Mickey Jin (@patch1t)
ARKit
Applicable to: macOS Sequoia
Possible impact: File parsing can terminate an app unexpectedly.
Issue description: This issue has been resolved with improved checks.
CVE-2025-24127: Minghao Lin (@Y1nKoc), babywu, and Xingwei Lin of Zhejiang University
Audio
Applicable to: macOS Sequoia
Possible impact: File parsing might unexpectedly halt an app.
Issue description: This concern has been rectified with improved checks.
CVE-2025-24106: Wang Yu of Cyberserval
CoreAudio
Applicable to: macOS Sequoia
Possible impact: Unexpected app termination could occur due to file parsing.
Issue description: This issue was remedied through improved checks.
CVE-2025-24160: Google Threat Analysis Group
CVE-2025-24161: Google Threat Analysis Group
CVE-2025-24163: Google Threat Analysis Group
CoreMedia
Applicable to: macOS Sequoia
Possible impact: Unexpected app termination might arise from file parsing.
Issue description: This issue has been effectively handled with improved checks.
CVE-2025-24123: Desmond working with Trend Micro Zero Day Initiative
CVE-2025-24124: Pwn2car & Rotiple (HyeongSeok Jang) collaborating with Trend Micro Zero Day Initiative
CoreMedia
Applicable to: macOS Sequoia
Possible impact: A malicious app may gain elevated privileges. Apple is aware that this may have been actively exploited in versions prior to iOS 17.2.
Issue description: A use-after-free issue was resolved through better memory management.
CVE-2025-24085
CoreRoutine
Applicable to: macOS Sequoia
Possible impact: An app could potentially ascertain the user’s location.
Issue description: This issue was addressed with enhanced checks.
CVE-2025-24102: Kirin (@Pwnrin)
FaceTime
Applicable to: macOS Sequoia
Possible impact: Access to sensitive user data may be possible for an app.
Issue description: An information disclosure issue was mitigated with upgraded privacy settings.
CVE-2025-24134: Kirin (@Pwnrin)
iCloud
Applicable to: macOS Sequoia
Possible impact: Files downloaded from the internet may lack the quarantine flag.
Issue description: This issue was resolved through improved state management.
CVE-2025-24140: Matej Moravec (@MacejkoMoravec)
iCloud Photo Library
Applicable to: macOS Sequoia
Possible impact: An app may circumvent Privacy preferences.
Issue description: Enhanced checks addressed this issue.
CVE-2025-24174: Arsenii Kostromin (0x3c3e), Joshua Jones
ImageIO
Applicable to: macOS Sequoia
Possible impact: Image processing could result in a denial-of-service situation.
Issue description: This situation was resolved through improved memory management.
CVE-2025-24086: DongJun Kim (@smlijun) and JongSeong Kim (@nevul37) of Enki WhiteHat, D4m0n
Kernel
Applicable to: macOS Sequoia
Possible impact: An app has the potential to cause unexpected shutdowns or write to kernel memory.
Issue description: This issue was resolved with improved memory management.
CVE-2025-24118: Joseph Ravichandran (@0xjprx) of MIT CSAIL
Kernel
Applicable to: macOS Sequoia
Possible impact: A malicious app could gain root access.
Issue description: Additional restrictions addressed a permissions issue.
CVE-2025-24107: an anonymous researcher
Kernel
Applicable to: macOS Sequoia
Possible impact: Arbitrary code execution may occur within kernel privileges.
Issue description: An issue with validation was addressed through improved logic.
CVE-2025-24159: pattern-f (@pattern_F_)
LaunchServices
Applicable to: macOS Sequoia
Possible impact: An app may access sensitive user data.
Issue description: A race condition was resolved with additional validation.
CVE-2025-24094: an anonymous researcher
LaunchServices
Applicable to: macOS Sequoia
Possible impact: An app might read files beyond its sandbox constraints.
Issue description: Improved validation of path handling has addressed this issue.
CVE-2025-24115: an anonymous researcher
LaunchServices
Applicable to: macOS Sequoia
Possible impact: Bypass of Privacy preferences could occur through an app.
Issue description: Additional sandbox restrictions have been applied to resolve this access issue.
CVE-2025-24116: an anonymous researcher
LaunchServices
Applicable to: macOS Sequoia
Possible impact: An app might fingerprint the user.
Issue description: This issue was resolved with better redaction of sensitive information.
CVE-2025-24117: Michael (Biscuit) Thomas (@[email protected])
libxslt
Applicable to: macOS Sequoia
Possible impact: Malicious web content processing could unexpectedly crash processes.
Issue description: This issue has been tackled through improved state management.
CVE-2025-24166: Ivan Fratric of Google Project Zero
Login Window
Applicable to: macOS Sequoia
Possible impact: A malicious app might create symlinks to protected disk areas.
Issue description: Improved validation of symlinks has addressed this issue.
CVE-2025-24136: 云散
Messages
Applicable to: macOS Sequoia
Possible impact: Sensitive user data might be accessed by an app.
Issue description: Better redaction of sensitive information has resolved this issue.
CVE-2025-24101: Kirin (@Pwnrin)
NSDocument
Applicable to: macOS Sequoia
Possible impact: A malicious app may access arbitrary files.
Issue description: Enhanced state management has addressed this issue.
CVE-2025-24096: an anonymous researcher
PackageKit
Applicable to: macOS Sequoia
Possible impact: Protected system files could be changed by an app.
Issue description: This issue has been resolved through improved checks.
CVE-2025-24130: Pedro Tôrres (@t0rr3sp3dr0)
Passwords
Applicable to: macOS Sequoia
Possible impact: An app might bypass authentication in browser extensions.
Issue description: A logging issue has been addressed with better data redaction.
CVE-2025-24169: Josh Parnham (@joshparnham)
Photos Storage
Applicable to: macOS Sequoia
Possible impact: Deleting conversations in Messages could expose user contact information in system logs.
Issue description: This issue has been resolved through improved redaction of sensitive data.
CVE-2025-24146: 神罚(@Pwnrin)
Safari
Applicable to: macOS Sequoia
Possible impact: Visiting a malicious site might cause address bar spoofing.
Issue description: Additional logic was introduced to resolve this issue.
CVE-2025-24128: @RenwaX23
Safari
Applicable to: macOS Sequoia
Possible impact: User interface spoofing may occur when visiting a malicious site.
Issue description: Improvements have been made to the UI for better security.
CVE-2025-24113: @RenwaX23
SceneKit
Applicable to: macOS Sequoia
Possible impact: File parsing might lead to unauthorized disclosure of user information.
Issue description: An out-of-bounds read issue was addressed with enhanced bounds checking.
CVE-2025-24149: Michael DePlante (@izobashi) from Trend Micro Zero Day Initiative
Security
Applicable to: macOS Sequoia
Possible impact: An app might access protected user data.
Issue description: This concern was managed through improved validation of symlinks.
CVE-2025-24103: Zhongquan Li (@Guluisacat)
SharedFileList
Applicable to: macOS Sequoia
Possible impact: An app may access protected user data.
Issue description: Addressed an access issue with additional sandbox restrictions.
CVE-2025-24108: an anonymous researcher
sips
Applicable to: macOS Sequoia
Possible impact: Parsing a malicious file could unexpectedly terminate the app.
Issue description: This issue has been resolved with improved checks.
CVE-2025-24139: Hossein Lotfi (@hosselot) of Trend Micro Zero Day Initiative
SMB
Applicable to: macOS Sequoia
Possible impact: An app might cause unexpected system shutdowns or corrupt kernel memory.
Issue description: This concern has been rectified with improved memory management.
CVE-2025-24151: an anonymous researcher
CVE-2025-24152: an anonymous researcher
SMB
Applicable to: macOS Sequoia
Possible impact: An app with root access may execute arbitrary code within kernel privileges.
Issue description: A buffer overflow issue was resolved with improved memory management.
CVE-2025-24153: an anonymous researcher
Spotlight
Applicable to: macOS Sequoia
Possible impact: Sensitive user information could be leaked by a malicious app.
Issue description: This issue was addressed through improved state management.
CVE-2025-24138: Rodolphe BRUNETTI (@eisw0lf) from Lupus Nova
StorageKit
Applicable to: macOS Sequoia
Possible impact: A malicious app could gain root access.
Issue description: A permissions issue was resolved with additional restrictions.
CVE-2025-24107: an anonymous researcher
StorageKit
Applicable to: macOS Sequoia
Possible impact: Local attackers may elevate their privileges.
Issue description: A permissions issue was addressed through improved validation.
CVE-2025-24176: Yann GASCUEL of Alter Solutions
System Extensions
Applicable to: macOS Sequoia
Possible impact: Elevated privileges may be granted to an app.
Issue description: This issue was addressed with improved message validation.
CVE-2025-24135: Arsenii Kostromin (0x3c3e)
Time Zone
Applicable to: macOS Sequoia
Possible impact: A contact’s phone number may be visible in system logs by an app.
Issue description: This privacy issue was mitigated with improved redaction of private data from logs.
CVE-2025-24145: Kirin (@Pwnrin)
TV App
Applicable to: macOS Sequoia
Possible impact: An app might read sensitive location data.
Issue description: Enhanced data protection measures were implemented to address this issue.
CVE-2025-24092: Adam M.
WebContentFilter
Applicable to: macOS Sequoia
Possible impact: An attacker may cause unexpected system shutdowns or corrupt kernel memory.
Issue description: An out-of-bounds write issue has been addressed with improved input validation.
CVE-2025-24154: an anonymous researcher
WebKit
Applicable to: macOS Sequoia
Possible impact: A maliciously crafted webpage may successfully fingerprint the user.
Issue description: This issue was addressed with enhanced file system access restrictions.
WebKit Bugzilla: 283117
CVE-2025-24143: an anonymous researcher
WebKit
Applicable to: macOS Sequoia
Possible impact: Processing web content might lead to denial-of-service.
Issue description: This issue has been resolved with improved memory handling.
WebKit Bugzilla: 283889
CVE-2025-24158: Q1IQ (@q1iqF) from NUS CuriOSity and P1umer (@p1umer) from Imperial Global Singapore.
WebKit
Applicable to: macOS Sequoia
Possible impact: Processing malicious web content might unexpectedly crash the process.
Issue description: This issue was mitigated through improved state management.
WebKit Bugzilla: 284159
CVE-2025-24162: linjy from HKUS3Lab and chluo from WHUSecLab
WebKit Web Inspector
Applicable to: macOS Sequoia
Possible impact: Copying a URL from Web Inspector could result in command injection vulnerabilities.
Issue description: A privacy issue was resolved with improved file handling.
WebKit Bugzilla: 283718
CVE-2025-24150: Johan Carlsson (joaxcar)
AirPlay
Applicable to: Apple Watch Series 6 and newer
Possible impact: An attacker on the local network may induce unexpected system termination or corrupt process memory.
Issue description: An input validation issue has been effectively addressed.
CVE-2025-24126: Uri Katz (Oligo Security)
AirPlay
Applicable to: Apple Watch Series 6 and newer
Possible impact: An unexpected app termination due to a remote attack may occur.
Issue description: The type confusion issue was resolved with improved checks.
CVE-2025-24129: Uri Katz (Oligo Security)
AirPlay
Applicable to: Apple Watch Series 6 and newer
Possible impact: A privileged attacker may execute a denial-of-service attack.
Issue description: Memory handling improvements have resolved this issue.
CVE-2025-24131: Uri Katz (Oligo Security)
AirPlay
Applicable to: Apple Watch Series 6 and newer
Possible impact: A remote attacker may generate unexpected application terminations or arbitrary code execution.
Issue description: Improved checks addressed the type confusion issue.
CVE-2025-24137: Uri Katz (Oligo Security)
CoreAudio
Applicable to: Apple Watch Series 6 and newer
Possible impact: File parsing might lead to unexpected app terminations.
Issue description: This issue was addressed through improved checks.
CVE-2025-24160: Google Threat Analysis Group
CVE-2025-24161: Google Threat Analysis Group
CVE-2025-24163: Google Threat Analysis Group
CoreMedia
Applicable to: Apple Watch Series 6 and newer
Possible impact: File parsing could lead to unexpected app terminations.
Issue description: Enhanced checks addressed this issue.
CVE-2025-24123: Desmond collaborating with Trend Micro Zero Day Initiative
CVE-2025-24124: Pwn2car & Rotiple (HyeongSeok Jang) working with Trend Micro Zero Day Initiative
CoreMedia
Applicable to: Apple Watch Series 6 and newer
Possible impact: A malicious application may be permitted to elevate privileges. Apple recognizes that this issue may have been actively exploited against versions of iOS before iOS 17.2.
Issue description: Improved memory management has resolved a use-after-free issue.
CVE-2025-24085
ImageIO
Applicable to: Apple Watch Series 6 and newer
Possible impact: Image processing may lead to a denial-of-service condition.
Issue description: Enhanced memory handling has resolved this issue.
CVE-2025-24086: DongJun Kim (@smlijun) and JongSeong Kim (@nevul37) from Enki WhiteHat, D4m0n
Kernel
Applicable to: Apple Watch Series 6 and newer
Possible impact: A malicious app may secure root-level access.
Issue description: Additional restrictions have addressed a permissions issue.
CVE-2025-24107: an anonymous researcher
Kernel
Applicable to: Apple Watch Series 6 and newer
Possible impact: An app might execute arbitrary code with kernel privileges.
Issue description: Addressed a validation issue through improved logic.
CVE-2025-24159: pattern-f (@pattern_F_)
LaunchServices
Applicable to: Apple Watch Series 6 and newer
Possible impact: An app might fingerprint the user.
Issue description: The issue was addressed with improved redaction of sensitive information.
CVE-2025-24117: Michael (Biscuit) Thomas (@[email protected])
libxslt
Applicable to: Apple Watch Series 6 and newer
Possible impact: Handling maliciously crafted web content could lead to unexpected process crashes.
Issue description: This issue was addressed through improved state management.
CVE-2025-24166: Ivan Fratric of Google Project Zero
SceneKit
Applicable to: Apple Watch Series 6 and newer
Possible impact: File parsing could disclose user information.
Issue description: An out-of-bounds read issue was remedied with better bounds checking.
CVE-2025-24149: Michael DePlante (@izobashi) from Trend Micro Zero Day Initiative
WebKit
Applicable to: Apple Watch Series 6 and newer
Possible impact: Processing web content could lead to denial-of-service.
Issue description: The issue has been addressed with enhanced memory management.
WebKit Bugzilla: 283889
CVE-2025-24158: Q1IQ (@q1iqF) from NUS CuriOSity and P1umer (@p1umer) from Imperial Global Singapore.
WebKit
Applicable to: Apple Watch Series 6 and newer
Possible impact: Maliciously crafted web content processing may unexpectedly terminate processes.
Issue description: This issue was tackled through improved state management.
WebKit Bugzilla: 284159
CVE-2025-24162: linjy from HKUS3Lab and chluo from WHUSecLab
Additionally, Apple has published security update documentation for iPadOS 17.7.4, macOS 14.7.3, macOS 13.7.3, tvOS 18.3, and Safari 18.3.
FTC: We use income earning auto affiliate links. More.
