CRITICAL🇵🇱 Wersja polska

CVE-2025-43359

CVSS 9.8v3.1pub. 2025-09-15upd. 2026-04-02

A logic issue was addressed with improved state management. This issue is fixed in iOS 18.7 and iPadOS 18.7, iOS 26 and iPadOS 26, macOS Sequoia 15.7, macOS Sonoma 14.8, macOS Tahoe 26, tvOS 26, visionOS 26, watchOS 26. A UDP server socket bound to a local interface may become bound to all interfaces.

🤖 AI Analysis
How it works

The vulnerability results from a logical error (CWE-670 — Always-Incorrect Control Flow Implementation) in UDP network socket state handling. When binding a UDP server socket to a specific local network interface, the state management error causes the socket to actually be bound to all available interfaces. As a result, network traffic directed to all device interfaces — including external or public ones — is accepted by the socket, which was supposed to handle only local communication.

Impact

An attacker with network access to the device can gain unauthorized access to UDP services that should be isolated locally, potentially leading to disclosure of sensitive data, system integrity violation, or disruption of its availability.

Mitigation & patch

Systems should be updated to the following versions: iOS 18.7 and iPadOS 18.7, iOS 26 and iPadOS 26, macOS Sequoia 15.7, macOS Sonoma 14.8, macOS Tahoe 26, tvOS 26, visionOS 26, watchOS 26. Patches are available through Apple's system update mechanism and in the vendor references provided above.

Who is affected

iOS and iPadOS versions prior to 18.7, macOS Sequoia prior to 15.7, macOS Sonoma prior to 14.8, as well as versions preceding: iOS 26, iPadOS 26, macOS Tahoe 26, tvOS 26, visionOS 26, watchOS 26

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Apple iPadOS

    OS
    Apple
    < 18.7
  • Apple iOS

    OS
    Apple
    < 18.7
  • Apple macOS

    OS
    Apple
    14.0 – 14.8 (bez)15.0 – 15.7 (bez)
  • Apple tvOS

    OS
    Apple
    < 26.0
  • Apple Visionos

    OS
    Apple
    < 26.0
  • Apple watchOS

    OS
    Apple
    < 26.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2025-10585CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty

CVE-2025-43300CRITICAL10.0⚠ KEVPL ✓ten sam produkt

Apple iOS/iPadOS/macOS — out-of-bounds write przy przetwarzaniu obrazu

CVE-2025-31200CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Apple — memory corruption (RCE) w przetwarzaniu strumieni audio

CVE-2025-31201CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Apple: Obejście Pointer Authentication w iOS, macOS i innych platformach

CVE-2025-24201CRITICAL10.0⚠ KEVPL ✓ten sam produkt

Apple WebKit: out-of-bounds write umożliwiający ucieczkę z sandbox przeglądarki