High severity7.1NVD Advisory· Published Nov 4, 2025· Updated Apr 2, 2026

CVE-2025-43338

Description

An out-of-bounds access issue was addressed with improved bounds checking. This issue is fixed in iOS 26 and iPadOS 26, macOS Sonoma 14.8.2, macOS Sonoma 14.8.4, macOS Tahoe 26. Processing a maliciously crafted media file may lead to unexpected app termination or corrupt process memory.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An out-of-bounds access vulnerability in Apple's media file processing could lead to unexpected app termination or memory corruption, patched in iOS 26, iPadOS 26, and multiple macOS versions.

Vulnerability

Overview

CVE-2025-43338 is an out-of-bounds access issue in Apple's media file processing. The root cause is insufficient bounds checking when handling crafted media files, allowing an attacker to read or write beyond allocated memory boundaries [2].

Exploitation

An attacker can exploit this vulnerability by delivering a maliciously crafted media file to the target user. No special privileges are required; the user only needs to open the file in an affected application. The attack vector is local or remote via file sharing, email, or web downloads.

Impact

Successful exploitation can cause unexpected app termination or corrupt process memory. While the description does not confirm code execution, memory corruption often leads to arbitrary code execution in the context of the affected process, potentially compromising system integrity.

Mitigation

Apple has addressed the issue in iOS 26 and iPadOS 26 [2], as well as macOS Sonoma 14.8.2, macOS Sonoma 14.8.4, and macOS Tahoe 26, as noted in the CVE description. Users are advised to update to the latest available versions to mitigate the risk.

References

About the security content of iOS 26 and iPadOS 26 - Apple Support

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Apple Inc./Ipados
cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
Range: <26.0
Apple Inc./Iphone Os
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
Range: <26.0
Apple Inc./macOS
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
Range: <14.8.2

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

support.apple.com/en-us/125636nvdRelease NotesVendor Advisory
support.apple.com/en-us/125108nvd
support.apple.com/en-us/125110nvd
support.apple.com/en-us/126350nvd

News mentions

No linked articles in our index yet.

cvss	0.461
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000