SB20250916387 - Multiple vulnerabilities in Apple macOS Tahoe
Published: September 16, 2025 Updated: February 4, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 87 secuirty vulnerabilities.
1) Permissions, privileges, and access controls (CVE-ID: CVE-2025-43328)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to improperly imposed security restrictions in Sandbox. A local application can access sensitive user data.
2) Improper link resolution before file access ('link following') (CVE-ID: CVE-2025-43369)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to insecure symbolic link following in SharedFileList. A local application can access protected user data.
3) Permissions, privileges, and access controls (CVE-ID: CVE-2025-43286)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to improperly imposed security restrictions in SharedFileList. A local application can break out of its sandbox.
4) Improper input validation (CVE-ID: CVE-2025-43291)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to insufficient input validation in SharedFileList. A local application can modify protected parts of the file system.
5) Improper input validation (CVE-ID: CVE-2025-43293)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to insufficient input validation in SharedFileList. A local application can access sensitive user data.
6) Improper access control (CVE-ID: CVE-2025-43332)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to improper access restrictions in Security Initialization. A local application can trick the victim into opening a specially crafted file and break out of its sandbox.
7) Input validation error (CVE-ID: CVE-2025-31259)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to insufficient validation of user-supplied input in SoftwareUpdate. A local application can execute arbitrary code with elevated privileges.
8) Improper access control (CVE-ID: CVE-2025-43318)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to improper access restrictions in Sandbox. A local application can access private information.
9) Permissions, privileges, and access controls (CVE-ID: CVE-2025-43329)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to improperly imposed security restrictions in Sandbox. A local application can break out of its sandbox.
10) Information disclosure (CVE-ID: CVE-2025-43367)
The vulnerability allows a local application to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the Siri application. A local application can gain access to protected user data.
11) Spoofing attack (CVE-ID: CVE-2025-43327)
The vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to incorrect processing of user-supplied data. A remote attacker can trick the victim into visiting a specially crafted website and spoof the browser's address bar.
12) Out-of-bounds read (CVE-ID: CVE-2024-27280)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition in the "ungetbyte" and "ungetc" methods. A remote attacker can trigger an out-of-bounds read error and read contents of memory on the system.
13) Improper input validation (CVE-ID: CVE-2025-43204)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to insufficient input validation in RemoteViewServices. A local application can break out of its sandbox.
14) Permissions, privileges, and access controls (CVE-ID: CVE-2025-31269)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to improperly imposed security restrictions in Printing. A local application can access protected user data.
15) Memory corruption (CVE-ID: CVE-2025-43297)
The vulnerability allows a local application to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in Power Management. A local application can cause a denial-of-service.
16) Race condition (CVE-ID: CVE-2025-40909)
The vulnerability allows a local user to tamper with application's behavior.
The vulnerability exists due to a race condition if a directory handle is open at thread creation. A local user can exploit the race and force the application to load code or access files from unexpected location.
17) Improper limitation of a pathname to a restricted directory ('path traversal') (CVE-ID: CVE-2025-43298)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to incorrect handling of path names in PackageKit. A local application can trick the victim into opening a specially crafted file and gain root privileges.
18) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2025-43358)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to improperly imposed security restrictions in Shortcuts. A local user can bypass sandbox restrictions.
19) Improper limitation of a pathname to a restricted directory ('path traversal') (CVE-ID: CVE-2025-43190)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to incorrect handling of path names in Spell Check. A local application can trick the victim into opening a specially crafted file and access sensitive user data.
20) Information exposure through log files (CVE-ID: CVE-2025-43279)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to inclusion of sensitive information into a log file in Notification Center. A local application can access user-sensitive data.
21) Permissions, privileges, and access controls (CVE-ID: CVE-2025-43262)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to improperly imposed security restrictions in Trusted Device. A local application can gain access to sensitive information.
22) Protection Mechanism Failure (CVE-ID: CVE-2025-43310)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to improperly imposed security restrictions in WindowServer. A local application can trick the victim into copying sensitive data to the pasteboard.
23) Use after free (CVE-ID: CVE-2025-43368)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a use-after-free error in WebKit Process Model. A remote attacker can trick the victim into opening a specially crafted website and crash the browser.
24) Improper access control (CVE-ID: CVE-2025-43342)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper access restrictions in WebKit. A remote attacker can trick the victim into opening a specially crafted website and crash the browser.
25) Memory corruption (CVE-ID: CVE-2025-43343)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in WebKit. A remote attacker can trick the victim into opening a specially crafted website and crash the browser.
26) Memory corruption (CVE-ID: CVE-2025-43272)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in WebKit. A remote attacker can trick the victim into opening a specially crafted website and crash the browser.
27) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2025-43356)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to missing permissions checks. A remote attacker can trick the victim into visiting a specially crafted website and gain access to sensor information without user consent.
28) Improper access control (CVE-ID: CVE-2025-43308)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to improper access restrictions in Touch Bar Controls. A local application can access sensitive user data.
29) Permissions, privileges, and access controls (CVE-ID: CVE-2025-43333)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to improperly imposed security restrictions in Spotlight. A local application can gain root privileges.
30) Improper access control (CVE-ID: CVE-2025-43311)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to improper access restrictions in Touch Bar. A local application can access protected user data.
31) Input validation error (CVE-ID: CVE-2025-43347)
The vulnerability allows a local application to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input within the System component. A local application can perform a denial of service (DoS) attack.
32) State issues (CVE-ID: CVE-2025-43304)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to a state management issue in StorageKit. A local application can gain root privileges.
33) Improper limitation of a pathname to a restricted directory ('path traversal') (CVE-ID: CVE-2025-43314)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to incorrect handling of path names in StorageKit. A local application can trick the victim into opening a specially crafted file and access sensitive user data.
34) Permissions, privileges, and access controls (CVE-ID: CVE-2025-43341)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to improperly imposed security restrictions in Storage. A local application can gain root privileges.
35) Buffer overflow (CVE-ID: CVE-2025-6965)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error when processing aggregated terms. A remote attacker can pass specially crafted input to the application where the number of aggregate terms exceeds the number of columns available, trigger memory corruption and perform a denial of service (DoS) attack.
36) Improper access control (CVE-ID: CVE-2025-24197)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to improper access restrictions in Spotlight. A local application can access sensitive user data.
37) Information exposure through log files (CVE-ID: CVE-2025-43301)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to inclusion of sensitive information into a log file in Notification Center. A local application can access contact info related to notifications in Notification Center.
38) Improper access control (CVE-ID: CVE-2025-43207)
The vulnerability allows a local application to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions within the Music app. A local application can bypass implemented security restrictions and access user-sensitive data.
39) Permissions, privileges, and access controls (CVE-ID: CVE-2025-43208)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to improperly imposed security restrictions in Airport. A local application can read sensitive location information.
40) Permissions, privileges, and access controls (CVE-ID: CVE-2025-43285)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to improperly imposed security restrictions in AppSandbox. A local application can access protected user data.
41) Out-of-bounds write (CVE-ID: CVE-2025-43349)
The vulnerability allows a local application to perform a denial of service (DoS) attack.
The vulnerability exists due to an out-of-bounds write in CoreAudio. A local application can trick the victim into opening a specially crafted file and perform unexpected app termination.
42) Information disclosure (CVE-ID: CVE-2025-43357)
The vulnerability allows a local application to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the Call History. A local application can fingerprint the user.
43) Information exposure through log files (CVE-ID: CVE-2025-43303)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to inclusion of sensitive information into a log file in Bluetooth. A local application can access sensitive user data.
44) Information exposure through log files (CVE-ID: CVE-2025-43354)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to inclusion of sensitive information into a log file in Bluetooth. A local application can access sensitive user data.
45) Improper access control (CVE-ID: CVE-2025-43307)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to improper access restrictions in Bluetooth. A local application can access sensitive user data.
46) Memory corruption (CVE-ID: CVE-2025-43346)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to a boundary error in Audio. A local application can trick the victim into opening a specially crafted file and perform unexpected app termination or corrupt process memory.
47) Improper input validation (CVE-ID: CVE-2025-43330)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to insufficient input validation in ATS. A local application can break out of its sandbox.
48) Improper access control (CVE-ID: CVE-2025-43337)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to improper access restrictions in AppleMobileFileIntegrity. A local application can access sensitive user data.
49) Improper input validation (CVE-ID: CVE-2025-43372)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to insufficient input validation in CoreMedia. A local application can trick the victim into opening a specially crafted file and perform unexpected app termination or corrupt process memory.
50) Permissions, privileges, and access controls (CVE-ID: CVE-2025-43340)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to improperly imposed security restrictions in AppleMobileFileIntegrity. A local application can break out of its sandbox.
51) Permissions, privileges, and access controls (CVE-ID: CVE-2025-43317)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to improperly imposed security restrictions in AppleMobileFileIntegrity. A local application can access sensitive user data.
52) Cryptographic issues (CVE-ID: CVE-2025-43331)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to a cryptographic issue in AppleMobileFileIntegrity. A local application can access protected user data.
53) Permissions, privileges, and access controls (CVE-ID: CVE-2025-31268)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to improperly imposed security restrictions in Apple Online Store Kit. A local application can access protected user data.
54) Memory corruption (CVE-ID: CVE-2025-43344)
The vulnerability allows a local application to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in Apple Neural Engine. A local application can cause unexpected system termination.
55) Protection Mechanism Failure (CVE-ID: CVE-2025-43321)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due an error in AppKit when accessing unsigned services from launching on Intel Macs. A local application can gain access to sensitive information.
56) Memory corruption (CVE-ID: CVE-2025-43312)
The vulnerability allows a local application to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in AMD. A local application can cause unexpected system termination.
57) State issues (CVE-ID: CVE-2025-43292)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to a state management issue in CoreMedia. A local application can access sensitive user data.
58) Protection Mechanism Failure (CVE-ID: CVE-2025-24088)
The vulnerability allows a local application to bypass implemented security restrictions.
The vulnerability exists due to insufficient implementation of security measures in CoreServices. A local application can override MDM-enforced settings from profiles.
59) Memory corruption (CVE-ID: CVE-2025-43355)
The vulnerability allows a local application to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in MobileStorageMounter. A local application can cause a denial-of-service.
60) Memory corruption (CVE-ID: CVE-2025-43366)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to a boundary error in IOMobileFrameBuffer. A local application can disclose coprocessor memory.
61) Improper input validation (CVE-ID: CVE-2025-43315)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to insufficient input validation in MigrationKit. A local application can access user-sensitive data.
62) Improper input validation (CVE-ID: CVE-2025-43319)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to insufficient input validation in MediaLibrary. A local application can access protected user data.
63) Improper input validation (CVE-ID: CVE-2025-43294)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to insufficient input validation in MallocStackLogging. A local application can access sensitive user data.
64) Heap-based buffer overflow (CVE-ID: CVE-2025-43353)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in libinfo. A remote attacker can trick the victim into opening a specially crafted image file, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
65) Improper input validation (CVE-ID: CVE-2025-43295)
The vulnerability allows a local application to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient input validation in libc. A local application can cause a denial-of-service.
66) Improper input validation (CVE-ID: CVE-2025-43299)
The vulnerability allows a local application to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient input validation in libc. A local application can cause a denial-of-service.
67) State Issues (CVE-ID: CVE-2025-43359)
The vulnerability allows a remote attacker to gain unauthorized access to the system.
The vulnerability exists due to a log error within the OS kernel. A UDP server socket bound to a local interface may become bound to all interfaces exposing services on the Internet.
68) State issues (CVE-ID: CVE-2025-31255)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to a state management issue in IOKit. A local application can access sensitive user data.
69) Improper access control (CVE-ID: CVE-2025-43305)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to improper access restrictions in CoreServices. A local application can access private information.
70) Out-of-bounds write (CVE-ID: CVE-2025-43302)
The vulnerability allows a local application to perform a denial of service (DoS) attack.
The vulnerability exists due to an out-of-bounds write in IOHIDFamily. A local application can cause unexpected system termination.
71) Memory corruption (CVE-ID: CVE-2025-43287)
The vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due to a boundary error in ImageIO. A remote attacker can trick the victim into opening a specially crafted file and escalate privileges on the system.
72) Improper access control (CVE-ID: CVE-2025-43325)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to improper access restrictions in Icons. A local application can access sensitive user data.
73) Memory corruption (CVE-ID: CVE-2025-43283)
The vulnerability allows a local application to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in GPU Drivers. A local application can cause unexpected system termination.
74) Memory corruption (CVE-ID: CVE-2025-43326)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to a boundary error in GPU Drivers. A local application can access sensitive user data.
75) Permissions, privileges, and access controls (CVE-ID: CVE-2025-31270)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to improperly imposed security restrictions in Foundation. A local application can access protected user data.
76) Protection Mechanism Failure (CVE-ID: CVE-2025-31271)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to a state issue in FaceTime. Incoming FaceTime calls can appear or be accepted on a locked macOS device, even with notifications disabled on the lock screen.
77) Permissions, privileges, and access controls (CVE-ID: CVE-2025-43316)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to improperly imposed security restrictions in DiskArbitration. A local application can gain root privileges.
78) Protection Mechanism Failure (CVE-ID: CVE-2025-43296)
The vulnerability allows a local application to bypass implemented security restrictions.
The vulnerability exists due to insufficient implementation of security measures in System Settings. A local application can bypass Gatekeeper checks.
79) Link following (CVE-ID: CVE-2025-43288)
The vulnerability allows a local application to bypass implemented security restrictions.
The vulnerability exists due to an insecure link following issue in Archive Utility. A local user can bypass Privacy preferences.
80) Out-of-bounds read (CVE-ID: CVE-2025-43361)
The vulnerability allows a local application to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition in the Audio subsystem. A local application can trigger an out-of-bounds read error and read contents of kernel memory.
81) Improper access control (CVE-ID: CVE-2025-43323)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to improper access restrictions in CloudKit. A local application can fingerprint the user.
82) Out-of-bounds write (CVE-ID: CVE-2025-43338)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing untrusted input in ImageIO. A remote attacker can create a specially crafted file, trick the victim into opening it using the affected software, trigger an out-of-bounds write and execute arbitrary code on the target system.
83) Improper access control (CVE-ID: CVE-2025-43345)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to improper access restrictions in Kernel. A local application can access sensitive user data.
84) Buffer overflow (CVE-ID: CVE-2025-43419)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in WebKit. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
85) Information disclosure (CVE-ID: CVE-2025-43376)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a logic issue in WebKit. A remote attacker can view leaked DNS queries with Private Relay turned on.
86) Protection mechanism failure (CVE-ID: CVE-2025-43320)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to a logic issue in AppleMobileFileIntegrity. A local application can bypass launch constraint protections and execute malicious code with elevated privileges.
87) Out-of-bounds read (CVE-ID: CVE-2025-46306)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger an out-of-bounds read error and read contents of memory on the system.
Remediation
Install update from vendor's website.