What is Affected?
CVE-2025-43520 affects a shared kernel or low-level system framework component present across Apple's entire platform family: iOS, iPadOS, macOS, watchOS, tvOS, and visionOS. When a vulnerability spans all Apple operating systems simultaneously, it typically resides in shared foundational code — such as the XNU kernel, a hardware driver, or a system framework common to all platforms. The breadth of affected devices ranges from iPhones and iPads to Macs, Apple Watches, Apple TVs, and Vision Pro headsets, all of which run variants of the same underlying OS architecture.
Overview
CVE-2025-43520 is a classic buffer overflow in an Apple system component that allows a malicious application running locally to cause either unexpected system termination (kernel panic / denial of service) or — under controlled exploitation conditions — arbitrary writes to kernel memory. Writing to kernel memory breaks the OS-enforced boundary between user-space applications and the kernel, potentially enabling privilege escalation and sandbox escape as part of a multi-stage exploit chain.
The CVSS base score of 5.5 scores the standalone denial-of-service outcome. The CISA KEV addition on March 20, 2026 — three months after the December 2025 patch — follows a common pattern for Apple kernel vulnerabilities: initial patching occurs silently, then confirmed exploitation in targeted spyware campaigns is detected weeks or months later, prompting KEV listing.
Affected Versions
| Platform | Vulnerable | Fixed |
|---|---|---|
| iOS | < 18.7.2 | 18.7.2 |
| iPadOS | < 18.7.2 | 18.7.2 |
| macOS Sequoia | < 15.7.2 | 15.7.2 |
| watchOS | < 11.7.2 | 11.7.2 |
| tvOS | < 18.7.2 | 18.7.2 |
| visionOS | < 2.7.2 | 2.7.2 |
Technical Details
CWE-120 (Classic Buffer Copy Without Checking Size of Input). A buffer overflow occurs when a program copies input data into a fixed-size buffer without validating that the input fits within that buffer, allowing memory adjacent to the buffer to be overwritten. In the kernel context, overwriting kernel memory can corrupt data structures that enforce OS security guarantees, or overwrite code pointers to redirect execution.
Key characteristics:
- Local attack vector — a malicious app must be installed and running on the device; no remote exploitation without a companion vulnerability.
- Low-privilege attacker — a standard user-level app can trigger the overflow; root or kernel privileges are not required to reach the vulnerable code path.
- Kernel memory write primitive — the controlled overflow can write attacker-influenced data to kernel memory, making this a building block for privilege escalation when chained with an information-leak vulnerability to defeat kernel address space layout randomization (KASLR).
Apple's security advisories do not publicly disclose the precise code path or triggering conditions, consistent with its policy of withholding technical details while patches propagate.
Discovery
Specific external researcher attribution was not publicly disclosed by Apple in the advisories. Apple's pattern of not crediting a reporter, combined with the delayed KEV listing (three months post-patch), suggests the in-the-wild exploitation was discovered through post-publication threat hunting rather than being reported by an external researcher prior to patching.
Exploitation Context
CISA added CVE-2025-43520 to the KEV catalog on March 20, 2026, with an action deadline of April 3, 2026. The three-month gap between the December 2025 patch and the March 2026 KEV listing mirrors previous Apple kernel zero-days where targeted exploitation by commercial spyware or nation-state operators was confirmed through forensic analysis of compromised devices after the initial patch was released.
The local attack vector means exploitation requires either a malicious application to be present on the device or chaining from another vulnerability that delivers initial code execution (e.g., a WebKit or in-app browser flaw that executes code within a sandboxed context). State-sponsored and commercial spyware operators (NSO Group, Candiru, Intellexa, and similar) routinely chain such primitives to achieve full device compromise.
Remediation
- Update all affected devices to the December 2025 security update releases (iOS/iPadOS 18.7.2, macOS Sequoia 15.7.2, watchOS 11.7.2, tvOS 18.7.2, visionOS 2.7.2).
- Enable automatic security updates on all Apple devices (Settings → General → Software Update → Automatic Updates).
- For individuals at elevated risk of targeted surveillance: enable Lockdown Mode on iPhone and iPad, which restricts app installation vectors and reduces the attack surface for chained exploits.
- Avoid installing applications from untrusted sources or enabling app sideloading.
- Enterprise environments should enforce iOS/macOS minimum version requirements via MDM policy and verify compliance before the CISA deadline.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2025-43520 |
| Vendor / Product | Apple — Multiple Products |
| NVD Published | 2025-12-12 |
| NVD Last Modified | 2026-04-03 |
| CVSS 3.1 Score | 5.5 |
| CVSS 3.1 Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
| Severity | MEDIUM |
| CWE | CWE-120 find similar ↗ |
| CISA KEV Added | 2026-03-20 |
| CISA KEV Deadline | 2026-04-03 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2025-12-12 | CVE published; Apple releases iOS 18.7.2, macOS Sequoia 15.7.2, and platform-equivalent updates with patch |
| 2026-03-20 | Added to CISA Known Exploited Vulnerabilities catalog (indicating confirmed in-the-wild exploitation detected) |
| 2026-04-03 | CISA KEV remediation deadline |
References
| Resource | Type |
|---|---|
| Apple Security Advisory — iOS 18.7.2 and iPadOS 18.7.2 | Vendor Advisory |
| Apple Security Advisory — macOS Sequoia 15.7.2 | Vendor Advisory |
| NVD — CVE-2025-43520 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |