CVE-2025-43533

CVE-2025-43533 is a vulnerability in multiple Apple operating systems that allows a malicious Human Interface Device (HID) to cause an unexpected process crash. The root cause is an insufficient bounds check in the HID subsystem, which fails to properly validate data received from a connected device, leading to memory corruption or an out-of-bounds access [1][2][4].

The attack surface is limited to physical or close-proximity scenarios, requiring the attacker to connect a specially crafted HID device (e.g., a keyboard, mouse, or other input device) to the target system. No authentication is bypassed, and the crash is triggered by sending malformed input data to the kernel or related system service [1][2].

Successful exploitation results in a denial-of-service condition, as the targeted process terminates unexpectedly. While the impact is limited to availability, in some configurations a repeated crash could hinder normal device operation until the malicious device is removed [1][2][4].

Apple addressed the issue with improved bounds checks in the following updates: iOS 18.7.5 and iPadOS 18.7.5, iOS 26.2 and iPadOS 26.2, macOS Sequoia 15.7.4, macOS Sonoma 14.8.4, macOS Tahoe 26.2, tvOS 26.2, visionOS 26.2, and watchOS 26.2 [1][2][3][4]. Users should install the latest available updates for their devices.