CVE-2025-43417: Race Condition
Published Dec 12, 2025
·Updated
A path handling issue was addressed with improved logic. This issue is fixed in macOS Sonoma 14.8.4, macOS Tahoe 26.2. An app may be able to access user-sensitive data.
Other sources
App Store. A permissions issue was addressed with additional restrictions.
— Apple
AppleEvents. An authorization issue was addressed with improved state management.
— Apple
AppleJPEG. The issue was addressed with improved bounds checks.
— Apple
AppleMobileFileIntegrity. A downgrade issue affecting Intel-based Mac computers was addressed with additional code-signing restrictions.
— Apple
AppleMobileFileIntegrity. A parsing issue in the handling of directory paths was addressed with improved path validation.
— Apple
Credit
an anonymous researcher, Mickey Jin@@patch1t, Jex Amro, Michael Reeves@@IntegralPilot, Wojciech Regula(SecuRing), Riley Walz, CVE-2024-7264, CVE-2025-9086, Yiğit Ocak, Ron Elemans, Noah Gregory (wts.dev), Andrew Calvano(Meta Product Security), Lucas Pinheiro(Meta Product Security), Kirin@@Pwnrin(Fudan University), LFY@@secsys(Fudan University), Duy Trần@@khanhduytran0, Andreas Jaegersberger & Ro Achterberg(Nosebeard Labs), Kaitao Xie(Alibaba Group), Xiaolong Bai(Alibaba Group), Kenneth Chew, CVE-2025-5918, Rosyna Keller(Totally Not Malicious Software), Google Threat Analysis Group, Haoling Zhou(SecLab of The Ohio State University), Shixuan Zhao@@NSKernel(SecLab of The Ohio State University), Chao Wang@@evi0s(SecLab of The Ohio State University), Zhiqiang Lin(SecLab of The Ohio State University), Atul R V, an anonymous researcher(Technische Hochschule Ingolstadt), Michael Schmutzer(Technische Hochschule Ingolstadt), @@retsew0x01, Kirin@@Pwnrin, Iván Savransky, Bing Shi(Alibaba Group), Wenchao Li(Alibaba Group), (Indiana University Bloomington), Luyi Xing(Indiana University Bloomington), Morris Richman@@morrisinlife, Gergely Kalman@@gergely_kalman, Kay Belardinelli (Harvard University), Hossein Lotfi@@hosselot(Trend Micro Zero Day Initiative), Nan Wang@@eternalsakura13, Google Big Sleep, Phil Pizlo(Epic Games), Apple, 이동하 (Lee Dong Ha(BoB 14th), floeki(IES Red Team of ByteDance), Zhongcheng Li(IES Red Team of ByteDance), Ryan Dowd@@_rdowd, Amy (amys.website), Anonymous(Trend Micro Zero Day Initiative), Yiğit Can YILMAZ@@yilmazcanyigit, Golden Helm Securities(Iru), Gergely Kalman@@gergely_kalman(Iru), Csaba Fitzl@@theevilbit(Iru), Murray Mike, 이동하 (Lee Dong Ha)(SSA Lab), George Karchemsky@@gkarchemsky(Trend Micro Zero Day Initiative), Xin'an Zhou, Juefei Pu, Zhutian Liu, Zhiyun Qian, Zhaowei Tan, Srikanth V. Krishnamurthy, Mathy Vanhoef, CVE-2025-59375, Ron Masas(BreakPoint), Chunyu Song(NorthSea), Rodolphe Brunetti@@eisw0lf(Lupus Nova), Michael DePlante@@izobashi(Trend Micro Zero Day Initiative), Enis Maholli (enismaholli.com), Gongyu Ma@@Mezone0, LeminLimez, @@cloudlldb, Wang Yu(Cyberserval)
Affected Software
3 affected componentsFixes available
Apple macOS Sonoma<14.8.4
14.8.4
Apple macOS Tahoe<26.2
26.2
Apple macOS<14.8.4
Event History
Dec 12, 2025
Data Sourced
via Apple·12:00 AM
DescriptionWeaknessAffected Software
Updated
via Apple·12:00 AM
DescriptionWeakness
Feb 11, 2026
Updated
via Apple·12:00 AM
DescriptionWeaknessAffected Software
CVE Published
via MITRE·10:58 PM
Data Sourced
via MITRE·10:58 PM
DescriptionWeakness
Data Sourced
via NVD·11:16 PM
DescriptionSeverityWeaknessAffected Software
Peer vulnerabilities
Found alongside the following vulnerabilities.
- CVE-2026-20670
- CVE-2026-20624
- CVE-2026-20625
- CVE-2026-20660
- CVE-2025-43403
- CVE-2026-20611
- CVE-2026-20609
- CVE-2026-20617
- CVE-2026-20615
- CVE-2025-46283
- CVE-2026-20627
- CVE-2025-43417
- CVE-2026-20620
- CVE-2025-43338
- CVE-2026-20634
- CVE-2026-20675
- CVE-2026-20671
- CVE-2025-59375
- CVE-2026-20667
- CVE-2026-20673
- CVE-2026-20677
- CVE-2026-20651
- CVE-2026-20694
- CVE-2026-20616
- CVE-2025-43533
- CVE-2025-46300
- CVE-2025-46301
- CVE-2025-46302
- CVE-2025-46303
- CVE-2025-46304
- CVE-2025-46305
- CVE-2025-46310
- CVE-2026-20614
- CVE-2026-20628
- CVE-2025-46290
- CVE-2026-20653
- CVE-2026-20680
- CVE-2026-20612
- CVE-2026-20641
- CVE-2026-20606
- CVE-2026-20605
- CVE-2026-20621
- CVE-2025-43402
- CVE-2026-20602
- CVE-2025-46288
- CVE-2025-43539
- CVE-2025-43523
- CVE-2025-43519
- CVE-2025-43522
- CVE-2025-43521
- CVE-2025-46289
- CVE-2025-46297
- CVE-2025-43482
- CVE-2025-43517
- CVE-2025-46287
- CVE-2024-7264
- CVE-2025-9086
- CVE-2025-43542
- CVE-2025-46281
- CVE-2025-43518
- CVE-2025-43532
- CVE-2025-46278
- CVE-2025-46279
- CVE-2025-43524
- CVE-2025-43512
- CVE-2025-46285
- CVE-2025-46291
- CVE-2025-5918
- CVE-2025-43513
- CVE-2025-46276
- CVE-2025-43509
- CVE-2025-43410
- CVE-2025-43428
- CVE-2025-43526
- CVE-2024-8906
- CVE-2025-46277
- CVE-2025-43538
- CVE-2025-43514
- CVE-2025-43527
- CVE-2025-43416
- CVE-2025-43516
- CVE-2025-43530
- CVE-2025-46282
- CVE-2025-43541
- CVE-2025-43536
- CVE-2025-43535
- CVE-2025-46298
- CVE-2025-43501
- CVE-2025-43531
- CVE-2025-14174
- CVE-2025-43529
- CVE-2025-46299
- CVE-2025-43511