CVE-2025-24257

CVE-2025-24257 is an out-of-bounds write vulnerability (CWE-787) that was addressed through improved input validation in multiple Apple operating systems. It affects versions of iOS prior to 18.4, iPadOS prior to 18.4, macOS Sequoia prior to 15.4, visionOS prior to 2.4, and watchOS prior to 11.4. The flaw allows a malicious app to potentially cause unexpected system termination or write to kernel memory, earning a CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H).

A local attacker with no privileges can exploit this vulnerability by convincing a user to interact with a malicious app, such as through social engineering to install or execute it. Successful exploitation enables high-impact integrity and availability disruption, including kernel memory corruption or system crashes, though it does not provide confidentiality gains or privilege escalation beyond the local context.

Apple's security advisories, detailed in support documents such as https://support.apple.com/en-us/122371, https://support.apple.com/en-us/122373, https://support.apple.com/en-us/122376, and https://support.apple.com/en-us/122378, confirm the issue was fixed in the listed software updates. Mitigation requires applying these patches promptly to vulnerable devices. Additional details appear in a Full Disclosure mailing list post at http://seclists.org/fulldisclosure/2025/Apr/12.