CVE-2025-24128: Use After Free
Published Jan 27, 2025
·Updated
Accessibility. An authentication issue was addressed with improved state management.
Credit
Ivan Fratric(Google Project Zero), Hichem Maloufi, Hakim Boukhadra, mastersplinter, @@RenwaX23, Michael DePlante@@izobashi(Trend Micro Zero Day Initiative), Kirin@@Pwnrin, an anonymous researcher, Q1IQ@@q1iqF(NUS CuriOSity), P1umer@@p1umer(Imperial Global Singapore), linjy(HKUS3Lab), chluo(WHUSecLab), Johan Carlsson (joaxcar), Josh Parnham@@joshparnham, Uri Katz (Oligo Security), Mickey Jin@@patch1t, D4m0n, Bohdan Stasiuk@@Bohdan_Stasiuk, Minghao Lin@@Y1nKoc(Zhejiang University), babywu(Zhejiang University), (Zhejiang University), Xingwei Lin(Zhejiang University), Wang Yu(Cyberserval), Google Threat Analysis Group, Desmond(Trend Micro Zero Day Initiative), Pwn2car & Rotiple (HyeongSeok Jang)(Trend Micro Zero Day Initiative), CVE-2025-24085, Song Hyun Bae@@bshyuunn, Lee Dong Ha (Who4mI), Matej Moravec@@MacejkoMoravec, Arsenii Kostromin (0x3c3e), Joshua Jones, DongJun Kim@@smlijun, JongSeong Kim in Enki WhiteHat@@nevul37, Mateusz Krzywicki@@krzywix, Joseph Ravichandran@@0xjprx(MIT CSAIL), pattern-f@@pattern_F_, Michael (Biscuit) Thomas @social.lol)@@biscuit, 风(binary_fmyy), Minghao Lin@(Y1nKoc), Pedro Tôrres@@t0rr3sp3dr0, 神罚@@Pwnrin, Zhongquan Li@@Guluisacat, Hossein Lotfi@@hosselot(Trend Micro Zero Day Initiative), Junsung Lee, Rodolphe BRUNETTI@@eisw0lf(Lupus Nova), Yann GASCUEL(Alter Solutions), Adam M., PixiePoint Security, Denis Tokarev@@illusionofcha0s, Zikan Wang@@Lakr233, Guilherme Rambo(Best Buddy Apps), Jason Gendron@@gendron_jason, 이준성 (Junsung Lee), Abhay Kailasia@@abhay_kailasia(C)
Affected Software
12 affected componentsFixes available
apple macOS Sequoia
apple Safari
apple iOS
apple iPadOS
apple Safari<18.3
apple iPadOS<18.3
apple iPhone OS<18.3
Apple macOS<15.3
apple iOS<18.3
18.3
apple iPadOS<18.3
18.3
apple macOS Sequoia<15.3
15.3
apple Safari<18.3
18.3
Event History
Jan 27, 2025
Data Sourced
via Apple·12:00 AM
DescriptionWeaknessAffected Software
Updated
via Apple·12:00 AM
DescriptionWeakness
Updated
via Apple·12:00 AM
Description
Updated
via Apple·12:00 AM
DescriptionWeaknessAffected Software
Updated
via Apple·12:00 AM
Affected Software
Updated
via Apple·12:00 AM
DescriptionAffected Software
CVE Published
via MITRE·09:45 PM
Data Sourced
via MITRE·09:45 PM
DescriptionWeakness
Data Sourced
via NVD·10:15 PM
DescriptionSeverityAffected Software
Jan 28, 2025
News Published
via The Register·08:17 AM
News Published
via The Register·08:20 AM
Known Exploited
08:20 AM
Frequently Asked Questions
1
What is the severity of CVE-2025-24128?
CVE-2025-24128 has been classified as a high-severity vulnerability due to its potential impact on authentication and input validation.
2
How do I fix CVE-2025-24128?
To remediate CVE-2025-24128, users should update their affected Apple software to the latest version available beyond 18.3.
3
What types of issues are addressed in CVE-2025-24128?
CVE-2025-24128 addresses issues related to authentication state management, null pointer dereferences, type confusion, and input validation in AirPlay.
4
Which Apple products are affected by CVE-2025-24128?
CVE-2025-24128 affects Apple Safari, iOS, iPadOS, and macOS up to version 18.3 and 15.3 respectively.
5
What is the impact of exploiting CVE-2025-24128?
Exploiting CVE-2025-24128 could allow attackers to bypass authentication and cause unintended behavior, compromising the security of the device.