This post was originally published on Security Affairs. It can be found here.

Apple released security updates to address easily exploitable vulnerabilities impacting iOS and macOS devices.

Apple released urgent iOS and macOS security updates to patch critical flaws that could allow attackers to execute malicious code just by opening a crafted image, video, or website:

• AppleJPEG CVE-2025-31251 – Processing a maliciously crafted media file may lead to unexpected app termination or corrupt process memory;
• CoreMedia CVE-2025-31233 – Processing a maliciously crafted video file may lead to unexpected app termination or corrupt process memory
• ImageIO CVE-2025-31226 – Processing a maliciously crafted image may lead to a denial-of-service
• WebKit CVE-2025-31223 – Processing maliciously crafted web content may lead to memory corruption
• Webkit CVE-2025-24223 – Processing maliciously crafted web content may lead to memory corruption
• Webkit CVE-2025-31217 – Processing maliciously crafted web content may lead to an unexpected Safari crash
• Webkit CVE-2025-31215 – Processing maliciously crafted web content may lead to an unexpected process crash
• Webkit CVE-2025-31206 – Processing maliciously crafted web content may lead to an unexpected Safari crash
• Webkit CVE-2025-31257 – Processing maliciously crafted web content may lead to an unexpected Safari crash

Apple’s iOS 18.5 update addressed multiple critical flaws in AppleJPEG, CoreMedia, and other components that could let attackers run code or leak data via malicious media files.

The company patched severe file-parsing flaws in CoreAudio, CoreGraphics, and ImageIO that could lead to unexpected app termination or corrupt process memory, or leak data when opening malicious content.

Some bugs could trigger a denial-of-service condition or lead to memory corruption.

One of the issues, tracked as CVE-2025-31217, can be triggered by processing maliciously crafted web content, leading to an unexpected Safari crash.

Processing maliciously crafted web content may lead to an unexpected Safari crash.

Apple’s also addressed a Baseband flaw, tracked as CVE-2025-31214, that can be exploited by an attacker to intercept traffic on iPhone 16e.

The IT giant also fixed a mDNSResponder privilege escalation bug, tracked as CVE-2025-31222, a Notes issue leaking data from locked screens, and other security gaps in FrontBoard, iCloud Document Sharing, and Mail Addressing.

iOS 18.5 is now available for iPhone XS and newer models, while the accompanying iPadOS update supports iPad Pro (2018 and later), iPad Air 3rd generation, iPad 7th generation, iPad mini 5, and subsequent devices.

Apple also released updates for macOS Sequoia, macOS Sonoma, macOS Ventura, as well as for watchOS, tvOS, and visionOS.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, iOS)

This post was originally published on this site