Apple releases fix for CVE-2025-43300 zero-day vulnerability

Apple has released critical security updates to address a zero-day vulnerability impacting iOS, iPadOS, and macOS, which has reportedly been exploited in the wild. The flaw, tracked as CVE-2025-43300, is an out-of-bounds write vulnerability within the ImageIO framework that could lead to memory corruption when processing malicious images. In an advisory, Apple acknowledged that this issue may have been used in sophisticated attacks targeting specific individuals. The company discovered the bug internally and has implemented improved bounds checking to mitigate the risk. The updates are available in iOS 18.6.2 and iPadOS 18.6.2 for devices including iPhone XS and later, various iPad models, and macOS Ventura 13.7.8, Sonoma 14.7.8, and Sequoia 15.6.1 for compatible Macs.

While the identity of the attackers and their specific targets remain unknown, it is believed that the vulnerability has been weaponised for highly targeted attacks. With this latest update, Apple has addressed a total of seven zero-days exploited in real-world scenarios since the beginning of the year, including CVE-2025-24085, CVE-2025-24200, CVE-2025-24201, CVE-2025-31200, CVE-2025-31201, and CVE-2025-43200. Additionally, last month, Apple issued patches for a Safari vulnerability (CVE-2025-6558) linked to an open-source component that Google reported as a zero-day exploit in the Chrome web browser.