The vulnerability, tracked as CVE-2025-43400, is an out-of-bounds write issue within the operating system’s FontParser component. An out-of-bounds write happens when a program attempts to write data to a memory location that’s outside the allocated memory buffer. This can corrupt nearby data, causing unexpected app terminations, crashes, or, in the worst-case scenario, allowing an attacker to execute arbitrary code. The problem was fixed by adding improved bounds checking to prevent such unauthorized writes.
An attacker could exploit this vulnerability by creating a special font file with manipulated data. When an application or system process loads this malicious font, it can trigger the memory corruption or crashes. Since fonts are commonly used and often processed without the user’s knowledge, this type of vulnerability presents a significant risk for attackers aiming to remotely compromise devices. Hong Kong CERT has confirmed that a remote attacker can indeed exploit this flaw.
Apple has issued updates for iOS 26, macOS 26, and other platforms to address the bug. The updates, which include versions like iOS/iPadOS 26.0.1, 18.7.1, macOS 26.0.1, and others, are available for a wide range of devices. This includes iPhone 11 and later, many iPad models, and the latest versions of macOS and visionOS.
While there is currently no public information on whether this vulnerability has been exploited in the wild, the potential for a remote attacker to gain control over a device makes it a high-priority security issue. Because of the risk, it is strongly recommended that users install the updates on all their compatible devices as soon as they can. The updates provide essential protection against this security flaw, helping to safeguard personal data and the integrity of the device.
Updating your device’s operating system is a crucial step in maintaining its security. These updates not only patch newly discovered vulnerabilities but also often include performance improvements and new features. Keeping your devices up-to-date ensures that you are protected from the latest threats and that your technology runs smoothly and efficiently. This is especially important for widely used devices like iPhones and iPads.
Reference:
