NAVANEM
CVE-2025-43300⚡ exploited in the wild

Apple iOS/iPadOS/macOS Image I/O, out-of-bounds write zero-day

An out-of-bounds write in the Image I/O framework of Apple iOS, iPadOS, and macOS lets a maliciously crafted image file cause memory corruption when processed. Apple addressed it with improved bounds checking and stated it may have been exploited in an extremely sophisticated attack against specific targeted individuals.

Overview

CVE-2025-43300 is an out-of-bounds write in Apple's Image I/O framework, the system component that decodes image files across iOS, iPadOS, and macOS. Processing a maliciously crafted image triggers memory corruption that can lead to code execution. Apple disclosed that it "may have been exploited in an extremely sophisticated attack against specific targeted individuals" - language Apple reserves for mercenary-spyware-style zero-days - and shipped emergency updates across all current OS versions. NVD carries a CISA-ADP CVSS 3.1 base of 10.0 (Critical).

Technical Details

Image I/O parses many image formats on behalf of apps; a malformed file can drive the decoder to write beyond an allocated buffer. Because image parsing is reachable through messaging, mail, and web content - often with little or no user interaction ("zero-click" when chained through an auto-rendering pipeline) - this class of bug is prized for stealthy device compromise. Apple's fix adds improved bounds checking in the affected decoder path.

Impact

  • Memory corruption / potential code execution from merely receiving or rendering a crafted image.
  • Targeted spyware risk: the exploitation pattern matches commercial surveillance operations against journalists, activists, and officials.
  • Cross-platform reach: the same framework ships on iPhone, iPad, and Mac.

Mitigation

  1. Update immediately: iOS/iPadOS 18.6.2 (or 17.7.10 / 16.7.12 / 15.8.5 for older hardware), macOS Sequoia 15.6.1, Sonoma 14.7.8, Ventura 13.7.8.
  2. High-risk individuals should enable Lockdown Mode, which constrains image and message processing attack surface.
  3. Keep automatic updates on and apply Rapid Security Responses promptly.

Detection

  • Endpoint detection of these zero-clicks is difficult; prioritize patching and, for at-risk users, Apple's Lockdown Mode and threat-notification program.
  • Preserve device sysdiagnose logs if compromise is suspected and engage a qualified mobile-forensics team.
  • CISA added the CVE to the KEV catalog on August 21, 2025.

references

#cve-2025-43300#apple#ios#macos#image-io#out-of-bounds-write#memory-corruption#zero-day#spyware#cwe-787#actively-exploited#cisa-kev#critical-vulnerability

Related topics

CVE
CVE

Apple dyld Memory Corruption (Targeted iOS Zero-Day)

Feb 11, 2026
CVE
CVE

Samsung Mobile libimagecodec Out-of-Bounds Write (LANDFALL Spyware)

Sep 12, 2025
CVE
CVE

Fortinet FortiVoice and multiple products, unauthenticated stack-based buffer overflow remote code execution

May 13, 2025
CVE
CVE

Fortinet multiple products, authentication bypass via FortiCloud SSO (alternate-channel)

Jan 27, 2026
CVE
CVE

WatchGuard Firebox, IKEv2 out-of-bounds write pre-auth RCE

Dec 18, 2025
CVE
CVE

Apple WebKit Use-After-Free (Arbitrary Code Execution Zero-Day)

Dec 17, 2025
CVE
CVE

Google Chrome V8, type confusion leading to heap corruption (zero-day)

Sep 24, 2025
CVE
CVE

Citrix NetScaler ADC and Gateway, unauthenticated memory-overflow remote code execution

Aug 26, 2025
CVE
CVE

CrushFTP, authentication bypass via AS2 validation (admin-access zero-day)

Jul 18, 2025
CVE
CVE

Ivanti Connect Secure, stack-based buffer overflow pre-auth RCE

Apr 3, 2025