APPLE-SA-09-15-2025-1 iOS 26 and iPadOS 26

[Apple Product Security via Fulldisclosure <fulldisclosure () seclists org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

APPLE-SA-09-15-2025-1 iOS 26 and iPadOS 26

iOS 26 and iPadOS 26 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/125108.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

Apple Neural Engine
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation
and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd
generation and later, iPad 8th generation and later, and iPad mini 5th
generation and later
Impact: An app may be able to cause unexpected system termination
Description: An out-of-bounds access issue was addressed with improved
bounds checking.
CVE-2025-43344: an anonymous researcher

AppleMobileFileIntegrity
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation
and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd
generation and later, iPad 8th generation and later, and iPad mini 5th
generation and later
Impact: An app may be able to access sensitive user data
Description: A permissions issue was addressed with additional
restrictions.
CVE-2025-43317: Mickey Jin (@patch1t)

Audio
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation
and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd
generation and later, iPad 8th generation and later, and iPad mini 5th
generation and later
Impact: Processing a maliciously crafted media file may lead to
unexpected app termination or corrupt process memory
Description: An out-of-bounds access issue was addressed with improved
bounds checking.
CVE-2025-43346: Hossein Lotfi (@hosselot) of Trend Micro Zero Day
Initiative

Bluetooth
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation
and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd
generation and later, iPad 8th generation and later, and iPad mini 5th
generation and later
Impact: An app may be able to access sensitive user data
Description: A logging issue was addressed with improved data redaction.
CVE-2025-43354: Csaba Fitzl (@theevilbit) of Kandji
CVE-2025-43303: Csaba Fitzl (@theevilbit) of Kandji

Call History
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation
and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd
generation and later, iPad 8th generation and later, and iPad mini 5th
generation and later
Impact: An app may be able to fingerprint the user
Description: This issue was addressed with improved redaction of
sensitive information.
CVE-2025-43357: Rosyna Keller of Totally Not Malicious Software,
Guilherme Rambo of Best Buddy Apps (rambo.codes)

CoreAudio
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation
and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd
generation and later, iPad 8th generation and later, and iPad mini 5th
generation and later
Impact: Processing a maliciously crafted video file may lead to
unexpected app termination
Description: An out-of-bounds write issue was addressed with improved
input validation.
CVE-2025-43349: @zlluny working with Trend Micro Zero Day Initiative

CoreMedia
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation
and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd
generation and later, iPad 8th generation and later, and iPad mini 5th
generation and later
Impact: Processing a maliciously crafted media file may lead to
unexpected app termination or corrupt process memory
Description: The issue was addressed with improved input validation.
CVE-2025-43372: 이동하 (Lee Dong Ha) of SSA Lab

IOHIDFamily
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation
and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd
generation and later, iPad 8th generation and later, and iPad mini 5th
generation and later
Impact: An app may be able to cause unexpected system termination
Description: An out-of-bounds write issue was addressed with improved
bounds checking.
CVE-2025-43302: Keisuke Hosoda

IOKit
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation
and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd
generation and later, iPad 8th generation and later, and iPad mini 5th
generation and later
Impact: An app may be able to access sensitive user data
Description: An authorization issue was addressed with improved state
management.
CVE-2025-31255: Csaba Fitzl (@theevilbit) of Kandji

Kernel
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation
and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd
generation and later, iPad 8th generation and later, and iPad mini 5th
generation and later
Impact: A UDP server socket bound to a local interface may become bound
to all interfaces
Description: A logic issue was addressed with improved state management.
CVE-2025-43359: Viktor Oreshkin

LaunchServices
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation
and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd
generation and later, iPad 8th generation and later, and iPad mini 5th
generation and later
Impact: An app may be able to monitor keystrokes without user permission
Description: The issue was addressed with improved checks.
CVE-2025-43362: Philipp Baldauf

MobileStorageMounter
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation
and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd
generation and later, iPad 8th generation and later, and iPad mini 5th
generation and later
Impact: An app may be able to cause a denial-of-service
Description: A type confusion issue was addressed with improved memory
handling.
CVE-2025-43355: Dawuge of Shuffle Team

Notes
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation
and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd
generation and later, iPad 8th generation and later, and iPad mini 5th
generation and later
Impact: An attacker with physical access to an unlocked device may be
able to view an image in the most recently viewed locked note
Description: The issue was addressed with improved handling of caches.
CVE-2025-43203: Tom Brzezinski

Safari
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation
and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd
generation and later, iPad 8th generation and later, and iPad mini 5th
generation and later
Impact: Processing maliciously crafted web content may lead to
unexpected URL redirection
Description: This issue was addressed with improved URL validation.
CVE-2025-31254: Evan Waelde

Sandbox
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation
and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd
generation and later, iPad 8th generation and later, and iPad mini 5th
generation and later
Impact: An app may be able to break out of its sandbox
Description: A permissions issue was addressed with additional
restrictions.
CVE-2025-43329: an anonymous researcher

Shortcuts
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation
and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd
generation and later, iPad 8th generation and later, and iPad mini 5th
generation and later
Impact: A shortcut may be able to bypass sandbox restrictions
Description: A permissions issue was addressed with additional sandbox
restrictions.
CVE-2025-43358: 정답이 아닌 해답

Siri
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation
and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd
generation and later, iPad 8th generation and later, and iPad mini 5th
generation and later
Impact: Private Browsing tabs may be accessed without authentication
Description: This issue was addressed through improved state management.
CVE-2025-30468: Richard Hyunho Im (@richeeta)

Spell Check
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation
and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd
generation and later, iPad 8th generation and later, and iPad mini 5th
generation and later
Impact: An app may be able to access sensitive user data
Description: A parsing issue in the handling of directory paths was
addressed with improved path validation.
CVE-2025-43190: Noah Gregory (wts.dev)

SQLite
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation
and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd
generation and later, iPad 8th generation and later, and iPad mini 5th
generation and later
Impact: Processing a file may lead to memory corruption
Description: This is a vulnerability in open source code and Apple
Software is among the affected projects. The CVE-ID was assigned by a
third party. Learn more about the issue and CVE-ID at cve.org.
CVE-2025-6965

System
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation
and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd
generation and later, iPad 8th generation and later, and iPad mini 5th
generation and later
Impact: An input validation issue was addressed
Description: This issue was addressed by removing the vulnerable code.
CVE-2025-43347: JZ, Seo Hyun-gyu (@wh1te4ever), Luke Roberts (@rookuu)

Text Input
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation
and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd
generation and later, iPad 8th generation and later, and iPad mini 5th
generation and later
Impact: Keyboard suggestions may display sensitive information on the
lock screen
Description: This issue was addressed by restricting options offered on
a locked device.
CVE-2025-24133: Joey Hewitt, an anonymous researcher, Thomas Salomon,
Sufiyan Gouri (TU Darmstadt), Phil Scott (@MrPeriPeri) & Richard Hyunho
Im (@richeeta), Mark Bowers, Dylan Rollins, Arthur Baudoin, Andr.Ess

WebKit
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation
and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd
generation and later, iPad 8th generation and later, and iPad mini 5th
generation and later
Impact: A website may be able to access sensor information without user
consent
Description: The issue was addressed with improved handling of caches.
WebKit Bugzilla: 296153
CVE-2025-43356: Jaydev Ahire

WebKit
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation
and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd
generation and later, iPad 8th generation and later, and iPad mini 5th
generation and later
Impact: Processing maliciously crafted web content may lead to an
unexpected Safari crash
Description: The issue was addressed with improved memory handling.
WebKit Bugzilla: 294550
CVE-2025-43272: Big Bear

WebKit
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation
and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd
generation and later, iPad 8th generation and later, and iPad mini 5th
generation and later
Impact: Processing maliciously crafted web content may lead to an
unexpected process crash
Description: The issue was addressed with improved memory handling.
WebKit Bugzilla: 296490
CVE-2025-43343: an anonymous researcher

WebKit
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation
and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd
generation and later, iPad 8th generation and later, and iPad mini 5th
generation and later
Impact: Processing maliciously crafted web content may lead to an
unexpected process crash
Description: A correctness issue was addressed with improved checks.
WebKit Bugzilla: 296042
CVE-2025-43342: an anonymous researcher

WebKit Process Model
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation
and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd
generation and later, iPad 8th generation and later, and iPad mini 5th
generation and later
Impact: Processing maliciously crafted web content may lead to an
unexpected Safari crash
Description: A use-after-free issue was addressed with improved memory
management.
WebKit Bugzilla: 296276
CVE-2025-43368: Pawel Wylecial of REDTEAM.PL working with Trend Micro
Zero Day Initiative

Additional recognition

Accessibility
We would like to acknowledge Abhay Kailasia (@abhay_kailasia) from C-DAC
Thiruvananthapuram India, Himanshu Bharti @Xpl0itme From Khatima for
their assistance.

Accounts
We would like to acknowledge Lehan Dilusha Jayasingha, 要乐奈 for their
assistance.

AuthKit
We would like to acknowledge Rosyna Keller of Totally Not Malicious
Software for their assistance.

Calendar
We would like to acknowledge Keisuke Chinone (Iroiro) for their
assistance.

Camera
We would like to acknowledge Descartes, Yusuf Kelany, an anonymous
researcher for their assistance.

CFNetwork
We would like to acknowledge Christian Kohlschütter for their
assistance.

CloudKit
We would like to acknowledge Yinyi Wu (@_3ndy1) from Dawn Security Lab
of JD.com, Inc for their assistance.

Control Center
We would like to acknowledge Damitha Gunawardena for their assistance.

CoreMedia
We would like to acknowledge Noah Gregory (wts.dev) for their
assistance.

darwinOS
We would like to acknowledge Nathaniel Oh (@calysteon) for their
assistance.

Device Recovery
We would like to acknowledge an anonymous researcher for their
assistance.

Files
We would like to acknowledge Tyler Montgomery for their assistance.

Foundation
We would like to acknowledge Csaba Fitzl (@theevilbit) of Kandji for
their assistance.

iCloud Photo Library
We would like to acknowledge Dawuge of Shuffle Team, Hikerell (Loadshine
Lab), Joshua Jones, YingQi Shi (@Mas0nShi) and ChengQiang Jin (@白斩鸡) of
DBAppSecurity's WeBin lab for their assistance.

ImageIO
We would like to acknowledge DongJun Kim (@smlijun) and JongSeong Kim
(@nevul37) in Enki WhiteHat for their assistance.

IOGPUFamily
We would like to acknowledge Wang Yu of Cyberserval for their
assistance.

Kernel
We would like to acknowledge Yepeng Pan, Prof. Dr. Christian Rossow for
their assistance.

libc
We would like to acknowledge Nathaniel Oh (@calysteon) for their
assistance.

libpthread
We would like to acknowledge Nathaniel Oh (@calysteon) for their
assistance.

libxml2
We would like to acknowledge Nathaniel Oh (@calysteon) for their
assistance.

Lockdown Mode
We would like to acknowledge Jonathan Thach, Pyrophoria and Ethan Day,
kado for their assistance.

mDNSResponder
We would like to acknowledge Barrett Lyon for their assistance.

MediaRemote
We would like to acknowledge Dora Orak for their assistance.

MobileBackup
We would like to acknowledge Dragon Fruit Security (Davis Dai & ORAC落云 &
Frank Du) for their assistance.

Networking
We would like to acknowledge Csaba Fitzl (@theevilbit) of Kandji for
their assistance.

Notes
We would like to acknowledge Atul R V for their assistance.

Passwords
We would like to acknowledge Christian Kohlschütter for their
assistance.

Phone
We would like to acknowledge Dalibor Milanovic for their assistance.

Safari
We would like to acknowledge Ameen Basha M K, Chi Yuan Chang of ZUSO ART
and taikosoup, Dalibor Milanovic, HitmanAlharbi (@HitmanF15), Jake
Derouin (jakederouin.com), Jaydev Ahire, Kenneth Chew for their
assistance.

Sandbox Profiles
We would like to acknowledge Rosyna Keller of Totally Not Malicious
Software for their assistance.

Security
We would like to acknowledge Jatayu Holznagel (@jholznagel), THANSEER KP
for their assistance.

Setup Assistant
We would like to acknowledge Edwin R. for their assistance.

Siri
We would like to acknowledge Abhay Kailasia (@abhay_kailasia) from
Safran Mumbai India, Amandeep Singh Banga, Andrew Goldberg of The
McCombs School of Business, The University of Texas at Austin
(linkedin.com/andrew-goldberg-/), Dalibor Milanovic, M. Aman Shahid
(@amansmughal) for their assistance.

Siri Suggestions
We would like to acknowledge Abhay Kailasia (@abhay_kailasia) from C-DAC
Thiruvananthapuram India for their assistance.

Spotlight
We would like to acknowledge Christian Scalese, Jake Derouin
(jakederouin.com) for their assistance.

Status Bar
We would like to acknowledge Abhay Kailasia (@abhay_kailasia) from
Safran Mumbai India, Dalibor Milanovic, Jonathan Thach for their
assistance.

Transparency
We would like to acknowledge Wojciech Regula of SecuRing
(wojciechregula.blog), 要乐奈 for their assistance.

User Management
We would like to acknowledge Muhaned Almoghira for their assistance.

WebKit
We would like to acknowledge Bob Lord, Matthew Liang, Mike Cardwell of
grepular.com, Stanley Lee Linton for their assistance.

Wi-Fi
We would like to acknowledge Aobo Wang (@M4x_1997), Csaba Fitzl
(@theevilbit) of Kandji, Noah Gregory (wts.dev), Wojciech Regula of
SecuRing (wojciechregula.blog), an anonymous researcher for their
assistance.

Widgets
We would like to acknowledge Abhay Kailasia (@abhay_kailasia) from
Safran Mumbai India for their assistance.

This update is available through iTunes and Software Update on your
iOS device, and will not appear in your computer's Software Update
application, or in the Apple Downloads site. Make sure you have an
Internet connection and have installed the latest version of iTunes
from https://www.apple.com/itunes/

iTunes and Software Update on the device will automatically check
Apple's update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don't Install
will present the option the next time you connect your iOS device.

The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device.

To check that the iPhone, iPod touch, or iPad has been updated:

* Navigate to Settings
* Select General
* Select About. The version after applying this update
will be "iOS 26 and iPadOS 26".

All information is also posted on the Apple Security Releases
web site: https://support.apple.com/100100.

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEhjkl+zMLNwFiCT1o4Ifiq8DH7PUFAmjImwcACgkQ4Ifiq8DH
7PUE+RAAgg1q/XJAGu+fFNbYDlc/jELsxc00DDWAnjlZ+Azzn2Me8EU5Ht37Guej
GQkLYDDIFZlPdb7ind37ReXh8JE0BuIFRUPjTCtiCk+W1Z3ykNxOVEH/QLRMJIwe
hDYa3Vs5ojRF3J78mjgItPr3ryMEHC+8A5F4N6IPHMqxtNMXf6MavN1VrFMk8C+H
ypx3NWmD/eCI0YaAaiKetuUvyMSG8QnRgVPz/6GEtCR9Qm4yydrL3wKm1El5/QEU
kNhUHaI1pgam7pJE9Ur7zL8Xc9IctE8GKXC+Rg7DmrphF/k9h0My3XqO3k6HkV2K
+tFqgLvyygNRhxdYjIXkLN2ADhWj1SBTIhsRVxp6gfPCedOQm9KSyv9MDfOzUvVO
2gMGHoibRKfOlrL8JgI3vTxW4A/HNZzVLXTeMSzxY5FZSM5mmDvdStb01brcQLMZ
72emjBzO3TnOu8+ddfWOxjg6YWBzmgkK7kGKj8+WqWoVt+MLE97aNUEbpAhP1b77
36G4WBHnDkM3oLGa+28ZqOk1yfYZytl5qwa7009WUBj/o6lsUZKQuDmCf1aipzR0
MrWdDtSIhcMa8UEhwmSUu5Se9k205Wv2VuEH/R4nS2IXOZ6BSvg8GLmvF3zXu1pv
Jui60cio/Yl1691Ub3ClywrHRRTY86AuS4JALjPRWm+E/rk/IBQ=
=jK5C
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/