CVE-2025-46305

Vulnerability

Overview

CVE-2025-46305 is a denial-of-service vulnerability in Apple's HID subsystem. The issue stems from insufficient bounds checks when processing input from HID devices. By sending specially crafted input, a malicious HID device can trigger an out-of-bounds memory access, leading to an unexpected process crash [1][2].

Attack

Vector and Prerequisites

Exploitation requires physical access to the device to connect a malicious HID device, such as a USB keyboard or other input device. No additional authentication or user interaction is needed beyond the physical connection. The attacker must be able to plug in a device that the system recognizes as a HID device [1][2].

Impact

A successful attack causes the targeted process to crash unexpectedly. While the crash itself does not directly lead to code execution or data theft, it can disrupt system operations and potentially be used to bypass security mechanisms that rely on the crashed process. The vulnerability affects a wide range of Apple platforms, including iOS, iPadOS, macOS, tvOS, visionOS, and watchOS [1][2][3][4].

Mitigation

Apple has addressed the issue with improved bounds checks in the following releases: iOS 18.7.5 and iPadOS 18.7.5, iOS 26.2 and iPadOS 26.2, macOS Sequoia 15.7.4, macOS Sonoma 14.8.4, macOS Tahoe 26.2, tvOS 26.2, visionOS 26.2, and watchOS 26.2. Users are strongly advised to update their devices to the latest available versions [1][2][3][4].