CVE-2025-24123

CVE-2025-24123 is an input validation vulnerability in Apple's operating systems that affects the parsing of maliciously crafted files. The issue exists across multiple platforms, including iOS, iPadOS, macOS, tvOS, visionOS, and watchOS. The root cause is that the system does not properly validate certain data when handling file parsing, which can lead to a denial-of-service condition.

To exploit this vulnerability, an attacker would need to deliver a specially crafted file to the target user. The attack vector is local or remote depending on the delivery method, but the official description and advisory impact statements indicate that an attacker on the local network can corrupt process memory [1][3]. No authentication is required beyond the user opening the malicious file, making it relatively easy to trigger.

The impact is an unexpected application termination (crash), which constitutes a denial of service. While no code execution or privilege escalation is mentioned, the crash could be used to disrupt services or potentially lead to further exploitation in a chain. The advisory for macOS Sequoia specifically notes the impact as "An attacker on the local network may be able to corrupt process memory" [1], which may indicate a more severe consequence than simple termination.

Apple addressed this vulnerability with improved checks in the following updates released on January 27, 2025: iOS 18.3 and iPadOS 18.3, iPadOS 17.7.4, macOS Sequoia 15.3, macOS Sonoma 14.7.3, macOS Ventura 13.7.3, tvOS 18.3, visionOS 2.3, and watchOS 11.3. Users are advised to update to the latest versions to mitigate the risk. No workarounds have been published.