CVE-2025-43226: 
macOS vulnerability analysis and mitigation

An out-of-bounds read vulnerability (CVE-2025-43226) was discovered in Apple's ImageIO component, affecting multiple Apple operating systems including watchOS 11.6, iOS 18.6 and iPadOS 18.6, iPadOS 17.7.9, tvOS 18.6, macOS Sequoia 15.6, macOS Sonoma 14.7.7, and visionOS 2.6. The vulnerability was disclosed and patched on July 29, 2025 (Apple Support).

The vulnerability is classified as an out-of-bounds read issue in the ImageIO component that occurs when processing maliciously crafted images. The issue was addressed by implementing improved input validation. The vulnerability has been assigned a CVSS v3.1 Base Score of 4.0 (MEDIUM) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating local access is required with low attack complexity and no privileges needed (NVD).

When exploited, this vulnerability could result in the disclosure of process memory when processing a maliciously crafted image. This could potentially lead to information disclosure and privacy breaches (Apple Support).

Apple has released security updates to address this vulnerability across their affected operating systems. Users should update to watchOS 11.6, iOS 18.6 and iPadOS 18.6, iPadOS 17.7.9, tvOS 18.6, macOS Sequoia 15.6, macOS Sonoma 14.7.7, or visionOS 2.6 depending on their device (Apple Support).