This issue was addressed with improved memory handling. This issue is fixed in iOS 18.4 and iPadOS 18.4, iPadOS 17.7.6, macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5, tvOS 18.4, visionOS 2.4. Processing a maliciously crafted video file may lead to unexpected app termination or corrupt process memory.
The vulnerability results from improper memory handling during processing of a maliciously crafted video file (CWE-400 — uncontrolled resource consumption). Opening or playing such a file can cause application instability or memory corruption of a process. Apple resolved the issue by improving memory management mechanisms.
An attacker can cause unexpected termination of a running application or memory corruption of a process, which could potentially enable arbitrary code execution or system destabilization.
Systems should be updated to the following versions: iOS 18.4, iPadOS 18.4 or iPadOS 17.7.6, macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5, tvOS 18.4, visionOS 2.4. Details are available in official Apple security bulletins at the addresses indicated in the references.
iOS before 18.4, iPadOS before 18.4 and before 17.7.6, macOS Sequoia before 15.4, macOS Sonoma before 14.7.5, macOS Ventura before 13.7.5, tvOS before 18.4, visionOS before 2.4.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HApple iPadOS
OSApple< 17.7.618.0 – 18.4 (bez)Apple iOS
OSApple< 18.4Apple macOS
OSApple13.0 – 13.7.5 (bez)14.0 – 14.7.5 (bez)15.0 – 15.4 (bez)Apple tvOS
OSApple< 18.4Apple Visionos
OSApple< 2.4
Related vulnerabilities
Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty
Apple iOS/iPadOS/macOS — out-of-bounds write przy przetwarzaniu obrazu
Apple — memory corruption (RCE) w przetwarzaniu strumieni audio
Apple: Obejście Pointer Authentication w iOS, macOS i innych platformach
Apple WebKit: out-of-bounds write umożliwiający ucieczkę z sandbox przeglądarki