A memory corruption issue was addressed with improved bounds checking. This issue is fixed in iOS 18.4.1 and iPadOS 18.4.1, macOS Sequoia 15.4.1, tvOS 18.4.1, visionOS 2.4.1, watchOS 11.5. Processing an audio stream in a maliciously crafted media file may result in code execution. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS released before iOS 18.4.1.
The error consists of improper memory boundary handling (CWE-119 — buffer overflow / memory corruption) during parsing of an audio stream in a multimedia file. A specially crafted file can cause memory corruption in a process, enabling an attacker to take control of code execution. The vulnerability requires no special permissions or system interaction other than the victim opening the file.
Successful exploitation of the vulnerability allows an attacker to execute arbitrary code on the victim's device, which may lead to complete device takeover, data theft, or malicious software installation.
Systems must be immediately updated to the following versions: iOS 18.4.1 and iPadOS 18.4.1, macOS Sequoia 15.4.1, tvOS 18.4.1, visionOS 2.4.1, watchOS 11.5. Updates are available through standard Apple update mechanisms.
iOS and iPadOS versions before 18.4.1, macOS Sequoia before version 15.4.1, tvOS before version 18.4.1, visionOS before version 2.4.1, watchOS before version 11.5.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HApple iPadOS
OSApple< 18.4.1Apple iOS
OSApple< 18.4.1Apple macOS
OSApple15.0 – 15.4.1 (bez)Apple tvOS
OSApple< 18.4.1Apple Visionos
OSApple< 2.4.1Apple watchOS
OSApple< 11.5
CISA KEV — detailsi
- Vendori
- Apple ↗
- Producti
- Multiple Products
- Added to KEVi
- April 17, 2025
- Remediation deadline (US Federal)i
- May 8, 2025(overdue)
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Apple iOS, iPadOS, macOS, and other Apple products contain a memory corruption vulnerability that allows for code execution when processing an audio stream in a maliciously crafted media file.
Related vulnerabilities
Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty
Apple iOS/iPadOS/macOS — out-of-bounds write przy przetwarzaniu obrazu
Apple: Obejście Pointer Authentication w iOS, macOS i innych platformach
Apple WebKit: out-of-bounds write umożliwiający ucieczkę z sandbox przeglądarki
Use-after-free w Apple iOS/iPadOS/macOS — privilege escalation przez aplikację