CVE-2025-46301

Root

Cause

CVE-2025-46301 is a vulnerability in Apple's HID (Human Interface Device) subsystem. The issue was addressed with improved bounds checks, and is caused by insufficient bounds checks when processing input from HID devices. This flaw can lead to memory corruption or an out-of-bounds access, resulting in an unexpected process crash [1][2][3][4].

Attack

Vector

An attacker with physical access to a device can connect a malicious HID device (e.g., a specially crafted keyboard, mouse, or other input device) to a vulnerable Apple device can trigger the crash. No user interaction beyond device connection is required; the vulnerability is triggered during normal HID processing [1][2][3][4].

Impact

Successful exploitation causes an unexpected process crash, leading to a denial of service (DoS). The crash may affect system stability or specific applications, depending on which process handles the malicious input. The CVSS v3 base score of 5.7 (Medium) reflects the requirement for physical access and the limited impact to availability [1][2][3][4].

Mitigation

Apple has released patches for a wide range of platforms: iOS 18.7.5 and iPadOS 18.7.5, iOS 26.2 and iPadOS 26.2, macOS Sequoia 15.7.4, macOS Sonoma 14.8.4, macOS Tahoe 26.2, tvOS 26.2, visionOS 26.2, and watchOS 26.2. Users should update their devices to the latest available versions to mitigate the risk [1][2][2][3][4].