CVE-2025-43376

Root

Cause

CVE-2025-43376 is a logic issue in Apple's iCloud Private Relay feature that was addressed with improved state management. The vulnerability could allow a remote attacker to observe DNS queries that should have been hidden by Private Relay's anonymizing proxy, undermining the feature's core privacy guarantee [1][2].

Exploitation

The attack requires no specific privileges or user interaction; a remote attacker on the network path may be able to view leaked DNS queries while the victim has Private Relay enabled. The precise attack vector is not disclosed, but the bug lies in how Safari or the OS handles the relay's routing state, potentially leaking DNS lookups outside the encrypted tunnel [3].

Impact

Successful exploitation bypasses one of iCloud Private Relay's primary functions—preventing network observers from associating the user's IP address with their DNS queries. An attacker could learn which websites the user visits, breaking the privacy promise of the feature [1][4].

Mitigation

Apple fixed this issue in Safari 26, iOS 18.7.7, iPadOS 18.7.7, iOS 26, iPadOS 26, macOS Tahoe 26, tvOS 26, visionOS 26, and watchOS 26. All affected devices should be updated to the latest OS versions to protect against DNS leakage [2][3][4]. No workaround is available; enabling Private Relay on unpatched systems continues to expose users to this risk.