- Apple fixes CVE-2025-43300, an out-of-bounds write bug in iOS and iPadOS
- The bug allowed menace actors to run distant code execution assaults
- There may be proof of abuse within the wild, so customers ought to be on their guard
Apple has fastened a bug in iOS and iPadOS which was apparently being utilized in “a particularly subtle assault in opposition to particular focused people”.
In a safety advisory, Apple stated it fastened an out-of-bounds write difficulty it discovered within the ImageIO framework, which lets apps open, save, and work with picture information effectively, together with studying particulars like EXIF knowledge, or creating thumbnails.
An out-of-bounds bug occurs when software program mistakenly writes knowledge past the reminiscence space it was presupposed to. This may corrupt reminiscence, crash apps, and even permit menace actors to run malicious code, remotely.
Hiding the small print from the crooks
For the reason that bug was present in ImageIO, it allowed specifically crafted photographs to overflow reminiscence checks and overwrite adjoining knowledge when processed. A menace actor may ship a malicious picture in an e mail, a message, or a webpage. If the susceptible system have been to attempt to render it, the out-of-bounds write would possibly let the attacker crash the system, and even run malware.
The bug is tracked as CVE-2025-43300, and doesn’t but have a severity rating. Apple didn’t talk about the findings additional, with the intention to give everybody sufficient time to patch, with out giving different menace actors data on the way to abuse it.
Gadgets affected by this flaw embrace iPhone XS and later, iPad Professional 13-inch, iPad Professional 12.9-inch third technology and later, iPad Professional 11-inch 1st technology and later, iPad Air third technology and later, iPad seventh technology and later, and iPad mini fifth technology and later.
Apple fastened it by bettering boundary checks, in variations iOS 18.6.2 and iPadOS 18.6.2, iPadOS 17.7.10, macOS Sequoia 15.6.1, macOS Sonoma 14.7.8, and macOS Ventura 13.7.8.
That is the sixth zero-day vulnerability Apple fastened for the reason that begin of 2025, BleepingComputer stories, together with CVE-2025-24085 (January), CVE-2025-24200 (February), CVE-2025-24201 (March), and two in April, CVE-2025-31200 and CVE-2025-31201.
Through BleepingComputer
