SB2025040107 - Multiple vulnerabilities in Apple iOS 18 and iPadOS 18
Published: April 1, 2025 Updated: November 12, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 78 secuirty vulnerabilities.
1) Spoofing attack (CVE-ID: CVE-2025-24113)
The vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to incorrect processing of user-supplied data in Safari. A remote attacker can trick the victim into visiting a specially crafted website and spoof the page content.
2) Inclusion of Sensitive Information in Log Files (CVE-ID: CVE-2025-24202)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to Accessibility app stores sensitive information into log files. A local application can read the log files and gain access to sensitive data.
3) Path traversal (CVE-ID: CVE-2025-30454)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to input validation error in CoreMedia Playback when handling file names. A local application can access private information.
4) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2025-24097)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to a permissions issue in AirDrop. A local application can read arbitrary file metadata.
5) Out-of-bounds read (CVE-ID: CVE-2025-24244)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition in Audio when handling font files. A remote attacker can create a specially crafted WAV file, trick the victim into opening it, trigger an out-of-bounds read error and read contents of memory on the system.
6) Buffer overflow (CVE-ID: CVE-2025-24243)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in Audio. A remote attacker can create a specially crafted AMR file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
7) State Issues (CVE-ID: CVE-2025-30430)
The vulnerability allows an attacker to gain unauthorized access to third-party services.
The vulnerability exists in Authentication Services due to software autofill passwords after failing authentication. An attacker with physical access to the system can login to a third-party application using credentials provided by Authentication Services.
8) Security features bypass (CVE-ID: CVE-2025-24180)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists in Authentication Services due to insufficient input validation. A remote attacker can trick the victim into visiting a specially crafted website that is able to claim WebAuthn credentials from another website that shares a registrable suffix.
9) Buffer overflow (CVE-ID: CVE-2025-24237)
The vulnerability allows a local application to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in BiometricKit. A local application can trigger a buffer overflow and terminate the system.
10) Path traversal (CVE-ID: CVE-2025-30429)
The vulnerability allows a local application to bypass implemented security restrictions.
The vulnerability exists due to input validation error when processing filenames in Calendar. A local application can break out of its sandbox.
11) Input validation error (CVE-ID: CVE-2025-24212)
The vulnerability allows a local application to bypass implemented security restrictions.
The vulnerability exists due to insufficient validation of untrusted input in Calendar. A local application can break out of its sandbox.
12) Input validation error (CVE-ID: CVE-2025-24163)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input in CoreAudio. A remote attacker can trick the victim into opening a specially crafted media file and perform a denial of service (DoS) attack.
13) Out-of-bounds read (CVE-ID: CVE-2025-24230)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition in CoreAudio. A remote attacker can create a specially crafted MP4 file, trick the victim into playing it, trigger an out-of-bounds read error and read contents of memory on the system or perform a denial of service (DoS) attack.
14) Out-of-bounds write (CVE-ID: CVE-2025-24211)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing untrusted input in CoreMedia. A remote attacker can create a specially crafted MP4 file, trick the victim into opening it using the affected software, trigger an out-of-bounds write and execute arbitrary code on the target system in the context of the WebKit GPU process.
15) Buffer overflow (CVE-ID: CVE-2025-24190)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in CoreMedia. A remote attacker can create a specially crafted MP4 file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system in the context of the WebKit GPU process.
16) Information disclosure (CVE-ID: CVE-2025-31191)
The vulnerability allows a local application to gain access to potentially sensitive information.
The vulnerability exists due to a state issue in CoreServices. A local application can access sensitive user data.
17) Use-after-free (CVE-ID: CVE-2024-56171)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within the xmlSchemaIDCFillNodeTables() and xmlSchemaBubbleIDCNodeTables() functions in xmlschemas.c. A remote attacker can pass specially crafted XML document to the application, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
18) Out-of-bounds read (CVE-ID: CVE-2025-24182)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition in CoreText when handling font files. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger an out-of-bounds read error and read contents of memory on the system.
19) Comparison using wrong factors (CVE-ID: CVE-2024-9681)
The vulnerability allows a remote attacker to perform MitM attack.
The vulnerability exists due to an error in HSTS cache implementation. When curl is asked to use HSTS, the expiry time for a subdomain can overwrite a parent domain's cache entry, making it end sooner or later
than otherwise intended. This can lead to situations when the website becomes unavailable or force the client to switch to HTTP from HTTP connection earlier than intended.
20) Path traversal (CVE-ID: CVE-2025-30456)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to input validation error in DiskArbitration when handling directory paths. A local application can gain root privileges on the system.
21) Out-of-bounds read (CVE-ID: CVE-2024-48958)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition within the execute_filter_delta() function in archive_read_support_format_rar.c. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger an out-of-bounds read error and read contents of memory on the system.
22) NULL pointer dereference (CVE-ID: CVE-2025-27113)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to NULL pointer dereference within the xmlPatMatch() function in pattern.c. A remote attacker can pass specially crafted XML document to the affected application and perform a denial of service (DoS) attack.
23) Improper authentication (CVE-ID: CVE-2025-30469)
The vulnerability allows an attacker to bypass authentication process.
The vulnerability exists due to missing authentication in Photos. An attacker with physical access to device can access photos from the lock screen.
24) Improper authentication (CVE-ID: CVE-2025-24193)
The vulnerability allows an attacker to bypass authentication process.
The vulnerability exists due to an authentication error in MobileLockdown. An attacker with USB-C connection to an unlocked device can programmatically access photos.
25) Improper access control (CVE-ID: CVE-2025-24221)
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions in Accounts. Sensitive keychain data may be accessible from an iOS backup.
26) Improper authentication (CVE-ID: CVE-2025-30428)
The vulnerability allows an attacker to bypass authentication process.
The vulnerability exists due to missing authentication in Photos. An attacker with access to the device can view photos in the Hidden Photos Album.
27) Improper access control (CVE-ID: CVE-2025-24095)
The vulnerability allows a local application to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions in RepairKit. A local application can bypass Privacy preferences.
28) Improper access control (CVE-ID: CVE-2025-30439)
The vulnerability allows an attacker with physical access to the system to gain access to sensitive information.
The vulnerability exists due to improper access restrictions in Focus. An attacker with physical access to the system can view sensitive user information.
29) Information exposure through log files (CVE-ID: CVE-2025-24283)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to inclusion of sensitive information into a log file in Focus. A local application can access sensitive user data.
30) Information exposure through log files (CVE-ID: CVE-2025-30447)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to inclusion of sensitive information into a log file in Foundation. A local application can access sensitive user data.
31) Improper access control (CVE-ID: CVE-2025-30463)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to improper access restrictions in Handoff. A local application can access sensitive user data.
32) Out-of-bounds read (CVE-ID: CVE-2025-24210)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition within the CoreGraphics framework. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger an out-of-bounds read error and read contents of memory on the system.
33) Out-of-bounds write (CVE-ID: CVE-2025-24257)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to an out-of-bounds write in IOGPUFamily. A local application can cause unexpected system termination or write kernel memory.
34) Cross-site scripting (CVE-ID: CVE-2025-30434)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data when handling files in Journal. A remote attacker can trick the victim to open a specially crafted file and execute arbitrary HTML and JavaScript code.
35) State Issues (CVE-ID: CVE-2025-30432)
The vulnerability allows a local application to bypass implemented security restrictions.
The vulnerability exists due to an state management error in OS kernel. An attacker with physical access to device and having a malicious app installed on the it can attempt passcode entries on a locked device and thereby cause escalating time delays after 4 failures.
36) Improper access control (CVE-ID: CVE-2025-24194)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to improper access restrictions in libnetcore. A remote attacker can trick the victim into opening a specially crafted file and gain access to sensitive information.
37) State issues (CVE-ID: CVE-2025-24178)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to a state management issue in libxpc. A local application can break out of its sandbox.
38) Link following (CVE-ID: CVE-2025-31182)
The vulnerability allows a local application to gain delete arbitrary files on the system.
The
vulnerability exists due to insecure symbolic link following in libxpc. A local application can delete files from the system it does not have access to.
39) Improper access control (CVE-ID: CVE-2025-24238)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to improper access restrictions in libxpc. A local application can gain elevated privileges.
40) Improper limitation of a pathname to a restricted directory ('path traversal') (CVE-ID: CVE-2025-30470)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to incorrect handling of path names in Maps. A local application can read sensitive location information.
41) Improper access control (CVE-ID: CVE-2025-30426)
The vulnerability allows a local application to enumerate installed apps on device.
The vulnerability exists due to improper access restrictions in NetworkExtension. A local application can enumerate a user's installed apps.
42) Improper access control (CVE-ID: CVE-2025-24173)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to improper access restrictions in Power Services. A local application can break out of its sandbox.
43) Spoofing attack (CVE-ID: CVE-2025-30467)
The vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to incorrect processing of user-supplied data in Safari. A remote attacker can trick the victim into clicking on a specially crafted URL and spoof the address bar.
44) Information disclosure (CVE-ID: CVE-2025-31192)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to incorrect checks in Safari. A remote attacker can trick the victim into visiting a specially crafted website and access sensor information without user consent.
45) Protection Mechanism Failure (CVE-ID: CVE-2025-24167)
The vulnerability allows a remote attacker can bypass implemented security restrictions.
The
vulnerability exists due to a state management issue. A remote attacker
can trick the victim into visiting a specially crafted website and incorrectly associate the download's origin.
46) Input validation error (CVE-ID: CVE-2025-30471)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input in Security component. A remote attacker can pass specially crafted input to the system and perform a denial of service (DoS) attack.
47) Improper access control (CVE-ID: CVE-2025-30438)
The vulnerability allows a local application to bypass implemented security restrictions.
The vulnerability exists due to improper access restrictions in Share Sheet. A local application can dismiss the system notification on the Lock Screen that a recording was started.
48) Improper access control (CVE-ID: CVE-2025-30433)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to improper access restrictions in Shortcuts. A local application can access files that are normally inaccessible to the Shortcuts app.
49) Improper access control (CVE-ID: CVE-2025-31183)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to improper access restrictions in Siri. A local application can access sensitive user data.
50) Information exposure (CVE-ID: CVE-2025-24217)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to excessive data output in Siri. A local application can access sensitive user data.
51) Information exposure through log files (CVE-ID: CVE-2025-24214)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to inclusion of sensitive information into a log file in Siri. A local application can access sensitive user data.
52) State issues (CVE-ID: CVE-2025-24205)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to a state management issue in Siri. A local application can access user-sensitive data.
53) Information disclosure (CVE-ID: CVE-2025-24198)
The vulnerability allows an attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by Siri. An attacker with physical access to device can use Siri to access sensitive user data.
54) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2025-31184)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to insufficient permissions checks. A remote attacker can trick Safari into gaining unauthorized access to Local Network.
55) Information disclosure (CVE-ID: CVE-2025-24192)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to an error when handling script imports. A malicious website can gain access to sensitive information.
56) Memory corruption (CVE-ID: CVE-2025-24264)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in WebKit. A remote attacker can trick the victim into opening a specially crafted website and perform an unexpected Safari crash.
57) Memory corruption (CVE-ID: CVE-2025-24216)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in WebKit. A remote attacker can trick the victim into opening a specially crafted website and perform an unexpected Safari crash.
58) Type confusion (CVE-ID: CVE-2025-24213)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a type confusion error. A remote attacker can trick the victim into visiting a specially crafted website, trigger a type confusion error and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
59) Memory corruption (CVE-ID: CVE-2025-24209)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in WebKit. A remote attacker can trick the victim into opening a specially crafted website and perform an unexpected process crash.
60) Universal cross-site scripting (CVE-ID: CVE-2025-24208)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data when handling iframes. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
61) Use after free (CVE-ID: CVE-2025-30427)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a use-after-free error in WebKit. A remote attacker can trick the victim into opening a specially crafted website and perform an unexpected Safari crash.
62) Information disclosure (CVE-ID: CVE-2025-30425)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a state management issue. A remote attacker can track users in Safari private browsing mode.
63) Missing authorization (CVE-ID: CVE-2025-24271)
The vulnerability allows a remote attacker to bypass authorization checks.
The vulnerability exists due to missing authorization checks in AirPlay. A remote non-authenticated attacker on the same network as a signed-in Mac can send it AirPlay commands without pairing.
64) Information disclosure (CVE-ID: CVE-2025-24270)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output in AirPlay. A remote attacker on the local network can gain unauthorized access to sensitive information.
65) NULL pointer dereference (CVE-ID: CVE-2025-31202)
The vulnerability allows a remote attacker on the local network to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference in AirPlay. A remote attacker on the local network can perform a denial-of-service attack.
66) Use after free (CVE-ID: CVE-2025-24252)
The vulnerability allows a remote attacker on the local network to compromise the affected system.
The vulnerability exists due to a use-after-free error in AirPlay. A remote attacker on the local network can corrupt process memory.
67) Improper authentication (CVE-ID: CVE-2025-24206)
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to a state issue in AirPlay when handling authentication requests. A remote attacker on the local network can bypass authentication process and gain unauthorized access to the system.
68) Type Confusion (CVE-ID: CVE-2025-30445)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to type confusion error in AirPlay. A remote attacker on the local network can perform a denial of service (DoS) attack.
69) Input validation error (CVE-ID: CVE-2025-24251)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input in AirPlay. A remote attacker on the local network can send specially crafted input to the system and perform a denial of service (DoS) attack.
70) Input validation error (CVE-ID: CVE-2025-31197)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input in AirPlay. A remote attacker on the local network can send specially crafted input to the system and perform a denial of service (DoS) attack.
71) Integer overflow (CVE-ID: CVE-2025-31203)
The vulnerability allows a remote attacker on the local network to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient input validation in CoreUtils. A remote attacker on the local network can send specially crafted input to the system, trigger an integer overflow and perform a denial-of-service attack.
72) Protection Mechanism Failure (CVE-ID: CVE-2025-30436)
The vulnerability allows an attacker to bypass implemented security restrictions.
The vulnerability exists due to insufficient implementation of security measures in Siri. An attacker with physical access to device can use Siri to enable Auto-Answer Calls.
73) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2025-24220)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to improperly imposed security restrictions in Sandbox Profiles. A local application can read a persistent device identifier.
74) Improper input validation (CVE-ID: CVE-2025-31196)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient input validation in CoreGraphics. A remote attacker can trick the victim into opening a specially crafted file and perform a denial-of-service or potentially disclose memory contents.
75) Inclusion of Sensitive Information in Log Files (CVE-ID: CVE-2025-31199)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to software stores sensitive information into log files. A local application can read the log files and gain access to sensitive user data.
76) Security features bypass (CVE-ID: CVE-2025-30466)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to incorrect implementation of Same Origin Policy. A remote attacker can trick the victim into visiting a specially crafted website and bypass Same Origin Policy restrictions.
77) Out-of-bounds read (CVE-ID: CVE-2025-43205)
The vulnerability allows a local application to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition within the Audio component. A local application can trigger an out-of-bounds read error and read contents of memory on the system, which can lead to ASLR bypass.
78) Improper access control (CVE-ID: CVE-2025-24203)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to improper access restrictions in Kernel. A local application can modify protected parts of the file system.
Remediation
Install update from vendor's website.