CVE-2025-24190

CVE-2025-24190 is a memory handling vulnerability affecting Apple's operating systems, including iOS prior to 18.4, iPadOS prior to 18.4 and 17.7.6, macOS Sequoia prior to 15.4, macOS Sonoma prior to 14.7.5, macOS Ventura prior to 13.7.5, tvOS prior to 18.4, visionOS prior to 2.4, and watchOS prior to 11.4. The flaw, classified under CWE-400 (Uncontrolled Resource Consumption), arises during the processing of maliciously crafted video files, potentially leading to unexpected application termination or process memory corruption. It has a CVSS v3.1 base score of 9.8, indicating critical severity due to its network accessibility, low attack complexity, lack of required privileges or user interaction, and high impacts on confidentiality, integrity, and availability.

A remote attacker without privileges can exploit this vulnerability by inducing a targeted Apple device to process a specially crafted video file over the network. No user interaction is required, enabling scenarios such as delivering the file via email, messaging apps, web downloads, or streaming services. Successful exploitation could result in denial of service through app crashes or, more critically, process memory corruption that might enable arbitrary code execution, data leakage, or further system compromise within the affected app's context.

Apple's security advisories detail that the issue was addressed through improved memory handling in the specified patched versions across the affected platforms. Security practitioners should prioritize updating devices to these versions, particularly given the vulnerability's high CVSS score and remote exploitability. Relevant advisories are available at support.apple.com/en-us/122371, 122372, 122373, 122374, and 122375.