"The vulnerability in question is CVE-2025-43300 (CVSS score: 8.8), an out-of-bounds write issue in the ImageIO component that could result in memory corruption when processing a malicious image file. "Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals," the company said. Since then, WhatsApp has acknowledged that a vulnerability in its messaging apps for Apple iOS and macOS (CVE-2025-55177, CVSS score: 5.4) had been chained with CVE-2025-43300"
"The updates have been rolled out alongside iOS 26, iPadOS 26, iOS 18.7, iPadOS 18.7, macOS Tahoe 26, macOS Sequoia 15.7, macOS Sonoma 14.8, tvOS 26, visionOS 26, watchOS 26, Safari 26, and Xcode 26, which also address a number of other security flaws - CVE-2025-31255 - An authorization vulnerability in IOKit that could allow an app to access sensitive data CVE-2025-43362 - A vulnerability in LaunchServices that could allow an app to monitor keystrokes without user permission"
Apple issued backported security fixes for CVE-2025-43300, an ImageIO out-of-bounds write that can cause memory corruption when processing malicious images. The vulnerability was reportedly exploited in extremely sophisticated attacks against specific targeted individuals. WhatsApp confirmed that CVE-2025-55177 in its iOS and macOS apps was chained with CVE-2025-43300 in highly targeted spyware campaigns affecting fewer than 200 people. Initial patches arrived in recent OS releases and Apple expanded releases to older iOS and iPadOS versions. The broader update wave also addresses multiple other vulnerabilities across IOKit, LaunchServices, Sandbox, Safari, and more.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]