CVE-2025-43494: Use After Free
Published Nov 3, 2025
·Updated
A mail header parsing issue was addressed with improved checks. This issue is fixed in iOS 18.7.2 and iPadOS 18.7.2, iOS 26.1 and iPadOS 26.1, macOS Sequoia 15.7.2, macOS Sonoma 14.8.2, macOS Tahoe 26.1, visionOS 26.1, watchOS 26.1. An attacker may be able to cause a persistent denial-of-service.
Other sources
Accessibility. A permissions issue was addressed with additional restrictions.
— Apple
Admin Framework. A logic issue was addressed with improved checks.
— Apple
Admin Framework. The issue was addressed with improved checks.
— Apple
App Store. A logging issue was addressed with improved data redaction.
— Apple
Apple Account. A privacy issue was addressed with improved checks.
— Apple
Credit
Ron Masas(BreakPoint), Pinak Oza, an anonymous researcher, Gergely Kalman@@gergely_kalman, Hikerell (Loadshine Lab), Zhongcheng Li(IES Red Team of ByteDance), Hossein Lotfi@@hosselot(Trend Micro Zero Day Initiative), iisBuri, Apple, Cristian Dinca (icmd.tech), Dave G.(supernetworks), Alex Radocea(supernetworks), Taavi Eomäe(Zone Media), Romain Lebesle(Khatima), Himanshu Bharti@@Xpl0itme(Khatima), Dalibor Milanovic, @@RenwaX23, Stanislav Jelezoglo, Aleksejs Popovs, Phil Beauvoir, Google Big Sleep, Nan Wang@@eternalsakura13, rheza@@ginggilBesel(Trend Micro Zero Day Initiative), shandikri(Trend Micro Zero Day Initiative), Gary Kwong(Trend Micro Zero Day Initiative), Justin Cohen(Google), Tom Van Goethem, Ryan Dowd@@_rdowd, Csaba Fitzl@@theevilbit(Kandji), Nolan Astrein(Kandji), Mickey Jin@@patch1t, Joseph Ravichandran@@0xjprx(MIT CSAIL), Dave G. (supernetworks.org), JZ, Michael Reeves@@IntegralPilot, Duy Trần@@khanhduytran0, Morris Richman@@morrisinlife, 이동하 (Lee Dong Ha(BoB 14th), wac(Trend Micro Zero Day Initiative), Adwiteeya Agrawal, Rodolphe BRUNETTI@@eisw0lf(Lupus Nova), pattern-f@@pattern_F_, Ferdous Saljooki@@malwarezoo(Jamf), Murray Mike, Michael DePlante@@izobashi(Trend Micro Zero Day Initiative), BynarIO AI (bynar.io), Kirin@@Pwnrin, Atul R V, Asaf Cohen, CVE-2024-43398, CVE-2024-49761, CVE-2025-6442, Vivek Dhar, ASI (RM) in Border Security Force, FTR HQ BSF Kashmir, Nikolai Skliarenko(Trend Micro Zero Day Initiative), Kirin@@Pwnrin(Microsoft), Jonathan Bar Or@@yo_yo_yo_jbo(Microsoft), Wang Yu(Cyberserval), Dennis Briner, Minghao Lin@@Y1nKoc, Lyutoon@@Lyutoon_, YingQi Shi@@Mas0n, Joshua Thomas, rheza@@ginggilBesel, Lehan Dilusha Jayasinghe, Gary Kwong, Wojciech Regula(SecuRing), Kirin@@Pwnrin(Fudan University), LFY@@secsys(Fudan University), Lukaah Marlowe, Rosyna Keller(Totally Not Malicious Software), Google Threat Analysis Group, KPC(Cisco Talos), Isaiah Wan, Will Caine, Thomas Salomon, Sufiyan Gouri (TU Darmstadt), Phil Scott & Richard Hyunho Im (@richeeta)@@MrPeriPeri, Mark Bowers, Joey Hewitt, Dylan Rollins, Arthur Baudoin, Andr.Ess, Mikael Kinnman, 이동하 (Lee Dong Ha)(SSA Lab), Alexia Wilson(Microsoft), Christine Fossaceca(Microsoft), CVE-2025-6965, Kenneth Chew, Rodolphe Brunetti@@eisw0lf(Lupus Nova), @@EthanArbuckle, Doug Hogan, Zhongquan Li@@Guluisacat, an anonymous researcher(Microsoft), Amy@@asentientbot, CVE-2025-32462, CVE-2025-53906, @@cloudlldb
Affected Software
25 affected componentsFixes available
Apple WatchOS<26.1
Apple iOS<18.7.2, <26.1
Apple iPadOS<18.7.2, <26.1
Apple macOS Tahoe<26.1
Apple visionOS<26.1
Apple macOS Sonoma<14.8.2
Apple macOS Sequoia<15.7.2
Apple macOS Sonoma<14.8.2
14.8.2
Apple WatchOS<26.1
26.1
Apple macOS Sequoia<15.7.2
15.7.2
Apple iOS<26.1
26.1
Apple iPadOS<26.1
26.1
Apple macOS Tahoe<26.1
26.1
Apple iOS<18.7.2
18.7.2
Apple iPadOS<18.7.2
18.7.2
Apple visionOS<26.1
26.1
Apple iPadOS<18.7.2
Apple iPadOS=26.0
Apple iPhone OS<18.7.2
Apple iPhone OS=26.0
Apple macOS>=14.0<14.8.2
Apple macOS>=15.0<15.7.2
Apple macOS=26.0
Apple visionOS<26.1
Apple WatchOS<26.1
Event History
Nov 3, 2025
Data Sourced
via Apple·12:00 AM
DescriptionWeaknessAffected Software
Updated
via Apple·12:00 AM
DescriptionWeakness
Updated
via Apple·12:00 AM
DescriptionWeaknessAffected Software
Updated
via Apple·12:00 AM
Affected Software
Nov 5, 2025
Updated
via Apple·12:00 AM
DescriptionWeaknessAffected Software
Dec 12, 2025
CVE Published
via MITRE·08:56 PM
Data Sourced
via MITRE·08:56 PM
DescriptionWeakness
Data Sourced
via NVD·09:15 PM
DescriptionSeverityWeaknessAffected Software
Parent advisories
This vulnerability appears in the following advisories.
Peer vulnerabilities
Found alongside the following vulnerabilities.
- CVE-2025-43455
- CVE-2025-43447
- CVE-2025-43462
- CVE-2025-43379
- CVE-2025-43448
- CVE-2025-43436
- CVE-2025-43445
- CVE-2025-43507
- CVE-2025-43400
- CVE-2025-43444
- CVE-2025-43398
- CVE-2025-43510
- CVE-2025-43520
- CVE-2025-43413
- CVE-2025-43494
- CVE-2025-43496
- CVE-2025-43294
- CVE-2025-43459
- CVE-2025-43503
- CVE-2025-43500
- CVE-2025-43480
- CVE-2025-43458
- CVE-2025-43430
- CVE-2025-43443
- CVE-2025-43440
- CVE-2025-43438
- CVE-2025-43457
- CVE-2025-43434
- CVE-2025-43435
- CVE-2025-43425
- CVE-2025-43433
- CVE-2025-43431
- CVE-2025-43432
- CVE-2025-43429
- CVE-2025-43392
- CVE-2025-43322
- CVE-2025-43337
- CVE-2025-43390
- CVE-2025-43468
- CVE-2025-43469
- CVE-2025-43378
- CVE-2025-43478
- CVE-2025-43407
- CVE-2025-43446
- CVE-2025-43361
- CVE-2025-43423
- CVE-2025-43472
- CVE-2025-43394
- CVE-2025-43395
- CVE-2025-43401
- CVE-2025-43292
- CVE-2025-43479
- CVE-2025-43382
- CVE-2025-43481
- CVE-2025-43387
- CVE-2025-43420
- CVE-2025-43498
- CVE-2025-43348
- CVE-2025-43474
- CVE-2025-43396
- CVE-2025-43383
- CVE-2025-43385
- CVE-2025-43384
- CVE-2025-43377
- CVE-2025-43389
- CVE-2025-43410
- CVE-2025-43411
- CVE-2025-43405
- CVE-2025-43391
- CVE-2024-43398
- CVE-2024-49761
- CVE-2025-6442
- CVE-2025-43335
- CVE-2025-43408
- CVE-2025-43476
- CVE-2025-30465
- CVE-2025-43414
- CVE-2025-43499
- CVE-2025-43380
- CVE-2025-43477
- CVE-2025-43399
- CVE-2025-43336
- CVE-2025-43397
- CVE-2025-43409
- CVE-2025-43334
- CVE-2025-43412
- CVE-2025-43373
- CVE-2025-43442
- CVE-2025-43450
- CVE-2025-43365
- CVE-2025-43386
- CVE-2025-43439
- CVE-2025-43493
- CVE-2025-43454
- CVE-2025-43418
- CVE-2025-43441
- CVE-2025-43495
- CVE-2025-43511
- CVE-2025-43502
- CVE-2025-43427
- CVE-2025-43421
- CVE-2025-43449
- CVE-2025-43426
- CVE-2025-43350
- CVE-2025-43437
- CVE-2025-43424
- CVE-2025-46316
- CVE-2025-43460
- CVE-2025-43422
- CVE-2025-43452
- CVE-2025-43372
- CVE-2025-43338
- CVE-2025-31199
- CVE-2025-6965
- CVE-2025-43471
- CVE-2025-46313
- CVE-2025-43388
- CVE-2025-43466
- CVE-2025-43465
- CVE-2025-43497
- CVE-2025-43461
- CVE-2025-43381
- CVE-2025-43470
- CVE-2025-46315
- CVE-2025-43464
- CVE-2025-43467
- CVE-2025-43364
- CVE-2025-43506
- CVE-2025-43508
- CVE-2025-43393
- CVE-2025-43406
- CVE-2025-43404
- CVE-2025-43339
- CVE-2025-43473
- CVE-2025-43351
- CVE-2025-43463
- CVE-2025-32462
- CVE-2025-53906
- CVE-2025-43402
Frequently Asked Questions
1
What is the severity of CVE-2025-43494?
CVE-2025-43494 is considered a moderate severity vulnerability that can lead to a persistent denial-of-service.
2
How do I fix CVE-2025-43494?
To fix CVE-2025-43494, update your device to the latest versions of affected software listed in the vulnerability description.
3
Which products are affected by CVE-2025-43494?
CVE-2025-43494 affects watchOS 26.1, iOS 18.7.2, iPadOS 18.7.2, macOS Tahoe 26.1, visionOS 26.1, macOS Sonoma 14.8.2, and macOS Sequoia 15.7.2.
4
What type of issue does CVE-2025-43494 involve?
CVE-2025-43494 involves a mail header parsing issue that allows attackers to potentially achieve a denial-of-service.
5
When was CVE-2025-43494 fixed?
CVE-2025-43494 was fixed in the releases of watchOS 26.1, iOS 18.7.2, iPadOS 18.7.2, and other specified versions.