CVE-2025-31201

What is Apple RPAC?

Pointer Authentication Codes (PAC) are an ARM64 security feature that cryptographically signs pointers using a secret key embedded in the processor, preventing memory corruption exploits from redirecting code execution by overwriting pointers. Apple's implementation, RPAC (Return Pointer Authentication Code), is a core defense in all modern Apple silicon and A12+-based devices. Bypassing PAC significantly weakens the effectiveness of memory corruption mitigations — allowing an attacker who achieves an arbitrary read/write primitive to convert it into a reliable exploit for code execution, even on hardened Apple devices.

Overview

CVE-2025-31201 is an arbitrary read and write vulnerability in Apple's RPAC (Pointer Authentication Code) implementation that allows an attacker to bypass Pointer Authentication — a critical hardware-enforced security feature. This vulnerability was exploited in a chained attack together with CVE-2025-31200 (CoreAudio memory corruption). CVE-2025-31200 provided the initial code execution primitive; CVE-2025-31201 was used to bypass PAC and escalate to a reliable, repeatable exploit. Apple released emergency patches on April 16, 2025, and credited Google's Threat Analysis Group (TAG) with discovery. CISA added both CVEs to the KEV catalog the following day.

Affected Versions

Technical Details

The vulnerability (CWE-1220) is in Apple's RPAC implementation. PAC works by signing pointer values with a cryptographic tag derived from the pointer value, context, and a processor-secret key; at the point of use, the tag is verified. An arbitrary read/write primitive allows an attacker to read PAC-signed pointers from memory and re-sign them with forged tags, effectively bypassing the protection that PAC is supposed to provide.

In the observed exploit chain:

1. CVE-2025-31200 (CoreAudio memory corruption): triggered via a malicious media file, providing initial code execution within the audio processing component.
2. CVE-2025-31201 (RPAC bypass): the code execution from step 1 is used to exploit the PAC bypass, converting the limited memory corruption primitive into a reliable, unrestricted code execution capability — effectively turning a constrained exploit into a full sandbox escape.

This pairing follows the established pattern of chaining a memory corruption bug with a PAC bypass for reliable, weaponizable iOS exploitation.

Discovery

Reported by Google's Threat Analysis Group (TAG), indicating use in targeted attacks by a nation-state or government-sponsored threat actor.

Exploitation Context

Apple confirmed both CVE-2025-31200 and CVE-2025-31201 "were used in an extremely sophisticated attack against specific targeted individuals" — consistent with government-grade spyware (Pegasus-class). Google TAG's involvement indicates attribution to a government-backed threat actor. The emergency (out-of-band) patch release on 16 April 2025 — a Wednesday, not Apple's normal monthly update cycle — reflects the severity and active exploitation. CISA added both CVEs to the KEV catalog on 17 April 2025.

Remediation

1. Update all Apple devices immediately to iOS/iPadOS 18.4.1, macOS Sequoia 15.4.1, tvOS 18.4.1, visionOS 2.4.1.
2. Enable automatic updates — Settings → General → Software Update → Automatic Updates.
3. For high-risk individuals: enable Lockdown Mode (Settings → Privacy & Security → Lockdown Mode) which restricts the attack surface for media-based delivery.
4. MDM fleets: push emergency update and validate compliance promptly.