CVE-2025-46302

Overview

CVE-2025-46302 is a vulnerability in Apple operating systems that allows a malicious Human Interface Device (HID) to cause an unexpected process crash. The issue was addressed with improved bounds checks, indicating an out-of-bounds condition in HID input handling that can lead to a denial-of-service scenario.

Exploitation

To exploit this vulnerability, an attacker requires physical access to the device to connect a malicious HID peripheral (e.g., a keyboard or other input device). No authentication or user interaction is needed beyond plugging in the device. The HID driver's lack of rigorous bounds checking on incoming data allows the attacker to trigger memory corruption that crashes the targeted process.

Impact

Successful exploitation results in an unexpected process crash, leading to denial of service. While the crash may temporarily disrupt the device's operation, there is no indication in the available references that code execution or privilege escalation is possible. The impact is limited to availability.

Mitigation

Apple has addressed this vulnerability in a wide range of product versions: iOS 18.7.5 and iPadOS 18.7.5, iOS 26.2 and iPadOS 26.2, macOS Sequoia 15.7.4, macOS Sonoma 14.8.4, macOS Tahoe 26.2, tvOS 26.2, visionOS 26.2, and watchOS 26.2 [1][2][3][4]. Users are advised to update to the latest available versions for their devices.