CVE-2025-31200

What is Apple CoreAudio?

CoreAudio is Apple's low-level audio processing framework, present across all Apple platforms — iOS, iPadOS, macOS, tvOS, and visionOS. It handles decoding, encoding, mixing, and playback of audio streams for every application that processes sound, including music apps, video players, VoIP, and system UI sounds. Because CoreAudio parses audio file formats (MP3, AAC, M4A, etc.) to render their contents, a memory corruption vulnerability in CoreAudio can be triggered by a maliciously crafted audio file — delivered via iMessage attachment, email, AirDrop, or a web page with embedded media.

Overview

CVE-2025-31200 is a critical memory corruption vulnerability (CWE-119) in Apple's CoreAudio framework, triggered when processing a maliciously crafted audio stream in a media file. Successful exploitation achieves arbitrary code execution in the CoreAudio process. This vulnerability was chained with CVE-2025-31201 (an RPAC / Pointer Authentication bypass) to form a two-stage zero-day exploit chain. The combination was used in "extremely sophisticated attacks against specific targeted individuals," per Apple's disclosure. Google's Threat Analysis Group (TAG) discovered and reported both vulnerabilities.

Affected Versions

Technical Details

The vulnerability (CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer) is in CoreAudio's audio stream parser. When processing a specially crafted audio file, CoreAudio performs an out-of-bounds memory operation — reading or writing beyond the allocated buffer. The resulting memory corruption corrupts adjacent heap memory, potentially overwriting control structures that allow an attacker to redirect execution flow.

In the observed exploit chain:

1. CVE-2025-31200 (this CVE): the initial stage. A malicious audio file is delivered to the target device and processed by CoreAudio. The memory corruption gives the attacker initial code execution within the audio processing context.
2. CVE-2025-31201 (RPAC bypass): the second stage. Using the code execution from step 1, the attacker bypasses Apple's Pointer Authentication Code (PAC) hardware security feature, converting a limited memory corruption primitive into a full, reliable exploit with arbitrary code execution capabilities — enabling sandbox escape.

The chain can be delivered as a zero-click attack if the audio file is received and automatically parsed by a messaging or email application.

Discovery

Reported by Google's Threat Analysis Group (TAG) alongside companion CVE-2025-31201.

Exploitation Context

Apple confirmed both CVE-2025-31200 and CVE-2025-31201 "were used in an extremely sophisticated attack against specific targeted individuals" — language Apple reserves for nation-state or government-grade spyware. Google TAG's involvement confirms attribution to a government-backed threat actor. Apple issued an emergency out-of-band patch on 16 April 2025 — a mid-week release outside Apple's normal monthly update schedule — reflecting the severity of active exploitation. CISA added both CVEs to the KEV catalog on 17 April 2025.

Remediation

1. Update all Apple devices immediately to iOS/iPadOS 18.4.1, macOS Sequoia 15.4.1, tvOS 18.4.1, visionOS 2.4.1.
2. Enable automatic updates to ensure future emergency patches apply without delay.
3. For high-risk individuals (journalists, government officials, lawyers, activists): enable Apple Lockdown Mode (Settings → Privacy & Security → Lockdown Mode) to restrict media processing attack surfaces.
4. MDM-managed devices: push the emergency update immediately and verify compliance.