Overview

• The vulnerability is tracked as CVE-2025-43400 and involves an out-of-bounds write in FontParser that can cause app termination or corrupt process memory.
• Fixes shipped in iOS and iPadOS 26.0.1 and 18.7.1, macOS Tahoe 26.0.1, macOS Sequoia 15.7.1, macOS Sonoma 14.8.1, and visionOS 26.0.1.
• watchOS 26.0.2 and tvOS 26.0.1 were released without this security fix, and visionOS updates were limited to version 26.
• Apple credits its internal teams with discovering the issue and reports no evidence of exploitation in the wild.
• SANS ISC notes it is unclear whether the flaw enables remote code execution, and users and administrators are advised to install the updates promptly.