CVE-2025-43338 — Cross-site Scripting in Apple IOS AND Ipados

CWE-79 — Cross-site Scripting7 documents4 sources

Severity

7.1HIGHNVD

EPSS

0.0%

top 94.49%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apple IOS AND Ipados Apple Macos Apple Ipados +1 more

Timeline

PublishedNov 4

Latest updateFeb 11

Description

An out-of-bounds access issue was addressed with improved bounds checking. This issue is fixed in iOS 26 and iPadOS 26, macOS Sonoma 14.8.2, macOS Sonoma 14.8.4, macOS Tahoe 26. Processing a maliciously crafted media file may lead to unexpected app termination or corrupt process memory.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:HExploitability: 1.8 | Impact: 5.2

Affected Packages5 packages

▶CVEListV5apple/macos< 14.8.2+2

▶NVDapple/macos< 14.8.2

▶NVDapple/ipados< 26.0

▶CVEListV5apple/ios_and_ipados< 26

▶NVDapple/iphone_os< 26.0

🔴Vulnerability Details

GHSA

GHSA-vwph-2xjc-r23h: An out-of-bounds access issue was addressed with improved bounds checking↗2025-11-04

▶

CVEList

CVE-2025-43338: An out-of-bounds access issue was addressed with improved bounds checking↗2025-11-04

▶

📋Vendor Advisories

Apple

CVE-2025-43338: macOS Sonoma 14.8.4↗2026-02-11

▶

Apple

CVE-2025-43338: macOS Sonoma 14.8.2↗2025-11-03

▶

Apple

CVE-2025-43338: macOS Tahoe 26↗2025-09-15

▶

Apple

CVE-2025-43338: iOS 26 and iPadOS 26↗2025-09-15

▶