A critical out-of-bounds write vulnerability (CVE-2025-43300) in the Image I/O framework allows processing of a malicious image to cause memory corruption. Attackers can deliver the malicious image via email, messaging apps, or malicious websites and achieve arbitrary code execution if the image is opened, potentially giving full control of the device, data exfiltration, spying, or further malware installation. The flaw affects iPhone XS and later and multiple recent iPad Pro, iPad Air, iPad, and iPad mini models. Evidence indicates the flaw has been exploited in an extremely sophisticated targeted attack. Users should apply the emergency update via Settings > General > Software Update immediately.
An out-of-bounds write vulnerability occurs when attackers write data outside a program's allocated memory boundaries, potentially overwriting critical system information - in this case by sending a malicious image delivered via email, messaging apps or malicious websites. If the victim opens the image, it could allow the attackers to carry out arbitrary code execution, potentially allowing them to take full control of an affected device and spy on users, steal data or install further malware.
"Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals," the company said - without giving any further details. While this implies that the general public is unlikely to be targeted, Apple is advising users to install the new update, which includes improvements to bounds checking, immediately, via Settings, General and Software Update.
Collection
[
|
...
]