CVE-2025-43292: 
macOS vulnerability analysis and mitigation

A race condition vulnerability (CVE-2025-43292) was discovered in macOS CoreMedia component, affecting both macOS Sequoia and macOS Tahoe operating systems. The vulnerability was disclosed on September 15, 2025, and was discovered by Csaba Fitzl (@theevilbit) and Nolan Astrein of Kandji. The issue affects macOS versions from 15.0 up to (excluding) 15.7 (Apple Advisory, NVD).

The vulnerability is classified as a race condition (CWE-362) in the CoreMedia component of macOS. It received a CVSS v3.1 base score of 5.5 (Medium), with a vector string of CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N. This indicates that the vulnerability requires local access and user interaction to exploit, but does not require privileges. The vulnerability has high impact on confidentiality but no impact on integrity or availability (CISA-ADP).

When successfully exploited, the vulnerability allows a malicious application to access sensitive user data through the CoreMedia component. The attack requires local access and user interaction, making it a significant privacy concern for affected systems (Apple Advisory).

Apple has addressed this vulnerability by improving state handling in the CoreMedia component. The fix is available in macOS Sequoia 15.7 and macOS Tahoe 26. Users are advised to update their systems to these versions to mitigate the vulnerability (Apple Advisory, Apple Advisory).