Apple released emergency patches for CVE-2025-43300, an out-of-bounds write vulnerability in the ImageIO framework used to read and write standard image formats. Processing a malicious image file may result in memory corruption and could allow attackers to hijack devices or spy on users. Apple credited its security team for the discovery and tightened bounds checking to remediate the issue. Updates were issued across iOS, iPadOS, macOS Sequoia, Sonoma, Ventura, and older iPads. Apple provided minimal technical details or attribution, and the phrasing suggests likely abuse by a sophisticated actor rather than broad criminal exploitation.
Apple has shipped emergency updates to fix an actively exploited zero-day in its ImageIO framework, warning that the flaw has already been abused in targeted attacks. Logged as CVE-2025-43300, the bug is an out-of-bounds write issue in ImageIO, the component apps rely on to read and write standard image formats. Apple warned that the flaw could let miscreants hijack devices with a booby-trapped image - and for some iDevice users, it sounds like the damage has already been done.
Apple went on to explain that "processing a malicious image file may result in memory corruption," but didn't say what that could lead to. Typically, though, these types of flaws allow stealthy attackers to spy on users and steal sensitive data. The company credits its own security team with the find and says it has tightened bounds checking to close the hole.
As usual, Apple is keeping the juicy details under wraps. There's no attribution, no list of targets, and no technical write-up beyond the basics. The fixes continue a bruising run of emergency updates for Apple kit this year.
Collection
[
|
...
]