CVE-2025-24220: Use After Free
Published Mar 31, 2025
·Updated
A permissions issue was addressed with additional restrictions. This issue is fixed in iOS 18.4 and iPadOS 18.4, iPadOS 17.7.9. An app may be able to read a persistent device identifier.
Other sources
Accessibility. A logging issue was addressed with improved data redaction.
— Apple
Accessibility. The issue was addressed by adding additional logic.
— Apple
Accounts. This issue was addressed with improved data access restriction.
— Apple
AirDrop. A permissions issue was addressed with additional restrictions.
— Apple
AirPlay. A null pointer dereference was addressed with improved input validation.
— Apple
Credit
Wojciech Regula(SecuRing), Dave G., Kirin@@Pwnrin, 7feilee, Eric Dorphy(Twin Cities App Dev LLC), Adam M., Google V8 Security Team, Ignacio Sanmillan@@ulexec, Jiming Wang, Jikai Ren, an anonymous researcher, Andreas Jaegersberger & Ro Achterberg(Nosebeard Labs), Mickey Jin@@patch1t, Hossein Lotfi@@hosselot(Trend Micro Zero Day Initiative), Chi Yuan Chang(ZUSO ART), taikosoup, Dawuge(Shuffle Team), Gary Kwong(Trend Micro Zero Day Initiative), CVE-2025-43226, Tony Iskow@@Tybbow, Christian Kohlschütter, Ivan Fratric(Google Project Zero), Himanshu Bharti@@Xpl0itme, Yuhao Hu, Yan Kang, Chenggang Wu, Xiaojie Wei, Clément Lecigne(Google's Threat Analysis Group), Vlad Stolyarov(Google's Threat Analysis Group), Ron Masas(BREAKPOINT), Dillon Franke(Google Project Zero), wac(Trend Micro Zero Day Initiative), Wang Yu(Cyberserval), Andrew James Gonzalez, Lyutoon(Atredis Partners), YenKoc(Atredis Partners), Dayton Pidhirney(Atredis Partners), Saagar Jha, Mateusz Krzywicki@@krzywix, Michael DePlante@@izobashi(Trend Micro Zero Day Initiative), Lucas Leong@@_wmliang_(Trend Micro Zero Day Initiative), CVE-2024-8176, Richard Hyunho Im@@richeeta, Andr.Ess, Noah Gregory (wts.dev), wac, Thibaud Kehler, jioundai(360 Vulnerability Research Institute), chen fengjiao(HBC), Zhongcheng Li(IES Red Team of ByteDance), Lehan Dilusha@@zafer, Uri Katz (Oligo Security), Dominik Rath, Martin Kreichgauer(Google Chrome), Yutong Xiu@@Sou1gh0st, Denis Tokarev@@illusionofcha0s, Google Threat Analysis Group, pattern-f@@pattern_F_, Jonathan Bar Or@@yo_yo_yo_jbo(Microsoft), CVE-2024-9681, Gergely Kalman@@gergely_kalman, LFY@@secsys(Fudan University), mzzzz__, Anonymous(Trend Micro Zero Day Initiative), Muhammad Zaid Ghifari (Mr.ZheeV), Kalimantan Utara, Michael (Biscuit) Thomas - @social.lol@@biscuit, Ian Beer(Google Project Zero), CVE-2024-48958, CVE-2025-27113, CVE-2024-56171, Alex Radocea(Supernetworks), Dave G.(Supernetworks), 风沐云烟@@binary_fmyy, Minghao Lin@@Y1nKoc, Alexia Wilson(Microsoft), Christine Fossaceca(Microsoft), Alhour@@NSAntoine, Florian Draschbacher, Jimmy, Jax Reissner, Dalibor Milanovic, Jaydev Ahire, @@RenwaX23, Syarif Muhammad Sajjad, Bing Shi(Alibaba Group), Wenchao Li(Alibaba Group), Xiaolong Bai(Alibaba Group), Luyi Xing(Indiana University Bloomington), Halle Winkler, Politepix theoffcuts.org, Abhay Kailasia@@abhay_kailasia(C), Bohdan Stasiuk@@bohdan_stasiuk, YingQi Shi@@Mas0nShi(DBAppSecurity's WeBin lab), Richard Hyunho Im with routezero.security@@richeeta, Alexander Heinrich@@Sn0wfreeze, SEEMOO, TU Darmstadt & Mathy Vanhoef@@vanhoefm, Jeroen Robben@@RobbenJeroen, DistriNet, KU Leuven, Vsevolod Kokorin (Slonser)(Solidlab), Gary Kwong, Paul Bakker(ParagonERP), Francisco Alonso@@revskills, rheza@@ginggilBesel
Affected Software
5 affected componentsFixes available
Apple iOS, iPadOS, and macOS<17.7.7
17.7.7
Apple iOS, iPadOS, and macOS<18.4
iPhone OS<18.4
Apple iOS and iPadOS<18.4
18.4
Apple iOS, iPadOS, and macOS<18.4
18.4
Event History
Mar 31, 2025
Data Sourced
via Apple·12:00 AM
DescriptionWeaknessAffected Software
Updated
via Apple·12:00 AM
DescriptionWeakness
Updated
via Apple·12:00 AM
Description
May 12, 2025
Updated
via Apple·12:00 AM
DescriptionWeaknessAffected Software
CVE Published
via MITRE·09:42 PM
Data Sourced
via MITRE·09:42 PM
DescriptionWeakness
Data Sourced
via NVD·10:15 PM
DescriptionSeverityWeaknessAffected Software
Jul 29, 2025
Updated
via Apple·12:00 AM
DescriptionWeaknessAffected Software
Updated
via Apple·12:00 AM
DescriptionAffected Software
Parent advisories
This vulnerability appears in the following advisories.
Peer vulnerabilities
Found alongside the following vulnerabilities.
- CVE-2025-24097
- CVE-2025-31251
- CVE-2025-31235
- CVE-2025-31208
- CVE-2025-31196
- CVE-2025-31209
- CVE-2025-31239
- CVE-2025-31233
- CVE-2025-24111
- CVE-2025-31210
- CVE-2025-30448
- CVE-2025-31226
- CVE-2025-24144
- CVE-2025-31219
- CVE-2025-31241
- CVE-2024-8176
- CVE-2025-24225
- CVE-2025-31228
- CVE-2025-24259
- CVE-2025-31245
- CVE-2025-24220
- CVE-2025-31221
- CVE-2025-31213
- CVE-2025-31242
- CVE-2025-31220
- CVE-2025-24213
- CVE-2025-31217
- CVE-2025-31215
- CVE-2025-31206
- CVE-2025-43217
- CVE-2025-43222
- CVE-2025-43223
- CVE-2025-43220
- CVE-2025-43210
- CVE-2025-43230
- CVE-2025-31279
- CVE-2025-43209
- CVE-2025-43226
- CVE-2025-24224
- CVE-2025-43282
- CVE-2025-7424
- CVE-2025-31276
- CVE-2025-43225
- CVE-2025-31278
- CVE-2025-43211
- CVE-2025-43216
- CVE-2025-6558
- CVE-2025-31216
- CVE-2025-43374
- CVE-2025-24202
- CVE-2025-24221
- CVE-2025-24271
- CVE-2025-24270
- CVE-2025-31202
- CVE-2025-24252
- CVE-2025-24206
- CVE-2025-30445
- CVE-2025-24251
- CVE-2025-31197
- CVE-2025-43205
- CVE-2025-24244
- CVE-2025-24243
- CVE-2025-30430
- CVE-2025-24180
- CVE-2025-24237
- CVE-2025-30429
- CVE-2025-24212
- CVE-2025-24163
- CVE-2025-24230
- CVE-2025-24211
- CVE-2025-24190
- CVE-2025-30454
- CVE-2025-31191
- CVE-2025-24182
- CVE-2025-31203
- CVE-2024-9681
- CVE-2025-30456
- CVE-2025-30439
- CVE-2025-24283
- CVE-2025-30447
- CVE-2025-30463
- CVE-2025-24210
- CVE-2025-24257
- CVE-2025-30434
- CVE-2025-30432
- CVE-2025-24203
- CVE-2024-48958
- CVE-2025-24194
- CVE-2025-27113
- CVE-2024-56171
- CVE-2025-24178
- CVE-2025-31182
- CVE-2025-24238
- CVE-2025-31199
- CVE-2025-30470
- CVE-2025-46308
- CVE-2025-24193
- CVE-2025-30426
- CVE-2025-30428
- CVE-2025-30469
- CVE-2025-24173
- CVE-2025-24095
- CVE-2025-30466
- CVE-2025-24113
- CVE-2025-30467
- CVE-2025-31192
- CVE-2025-24167
- CVE-2025-30471
- CVE-2025-30438
- CVE-2025-30433
- CVE-2025-30436
- CVE-2025-31183
- CVE-2025-24217
- CVE-2025-24214
- CVE-2025-24205
- CVE-2025-24198
- CVE-2025-31184
- CVE-2025-24192
- CVE-2025-24264
- CVE-2025-24216
- CVE-2025-24209
- CVE-2025-24208
- CVE-2025-30427
- CVE-2025-30425
Frequently Asked Questions
1
What is the severity of CVE-2025-24220?
CVE-2025-24220 has been classified as a high severity vulnerability due to its potential impact on system security.
2
How do I fix CVE-2025-24220?
To fix CVE-2025-24220, update your affected Apple iPadOS device to version 17.7.7 or later.
3
What types of issues are related to CVE-2025-24220?
CVE-2025-24220 addresses permissions issues, memory management issues, and input sanitization problems across various components.
4
Which Apple products are affected by CVE-2025-24220?
CVE-2025-24220 affects iPadOS versions below 17.7.7.
5
What should I do if I can't update my device for CVE-2025-24220?
If you cannot update your device, consider implementing additional security measures while monitoring for any signs of exploitation related to CVE-2025-24220.