CVE-2025-43520

Published Dec 12, 2025

Last updated a month ago

Exploit knownCVSS medium 5.5
iPadOS
iOS
macOS
Splunk
Zero-day
XSS
Mobile device

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-43520 is identified as a memory corruption issue, specifically a classic buffer overflow vulnerability, affecting multiple Apple operating systems. These include watchOS, iOS, iPadOS, macOS, visionOS, and tvOS. The vulnerability could potentially allow a malicious application to cause unexpected system termination or write to kernel memory. Apple has addressed this issue with improved memory handling, and fixes have been implemented in various updated versions of its operating systems, such as watchOS 26.1, iOS 18.7.2 and iPadOS 18.7.2, macOS Tahoe 26.1, visionOS 26.1, and tvOS 26.1. This vulnerability has also been noted as part of the "DarkSword" exploit chain, which has been utilized by state-sponsored actors and spyware vendors.

Description
A memory corruption issue was addressed with improved memory handling. This issue is fixed in iOS 18.7.2 and iPadOS 18.7.2, iOS 26.1 and iPadOS 26.1, macOS Sequoia 15.7.2, macOS Sonoma 14.8.2, macOS Tahoe 26.1, tvOS 26.1, visionOS 26.1, watchOS 26.1. A malicious application may be able to cause unexpected system termination or write kernel memory.
Source
product-security@apple.com
NVD status
Analyzed
Products
ipados, iphone_os, macos, tvos, visionos, watchos

Risk scores

CVSS 3.1

Type
Primary
Base score
5.5
Impact score
3.6
Exploitability score
1.8
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Severity
MEDIUM

Known exploits

Data from CISA

Vulnerability name
Apple Multiple Products Classic Buffer Overflow Vulnerability
Exploit added on
Mar 20, 2026
Exploit action due
Apr 3, 2026
Required action
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Weaknesses

134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE-120

Social media

Hype score
Not currently trending

  1. Some open challenges for AI: 1. exploit the BootROM bug on A13. 2. exploit the SEPROM bug on A11. 3. exploit CVE-2025-43520 to escape the sandbox on A19. 4. ...

    @ProteasWang

    27 Apr 2026

    10083 Impressions

    10 Retweets

    107 Likes

    44 Bookmarks

    8 Replies

    0 Quotes

  2. 🚨 Russian APT Star Blizzard deploys DarkSword iOS exploit kit targeting 18.4-18.7. Full-chain: CVE-2025-31277 (JSCore RCE) → CVE-2026-20700 (PAC bypass) → CVE-2025-43520 (kernel privesc). GHOSTKNIFE backdoor exfils in minutes. Update to iOS 26.3+ now. #infosec

    @psyciclabs

    30 Mar 2026

    181 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. 🚨 iOS Security 101: Lockdown Mode explained (perfect for DarkSword-level threats) With iOS 26.4 now out, the 6-zero-day DarkSword chain (incl. CVE-2025-31277 + CVE-2025-43520) has been publicly leaked on GitHub. Multiple actors (TA446 etc.) are actively using it. CISA added th

    @seoscottsdale

    28 Mar 2026

    216 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    1 Reply

    0 Quotes

  4. 3 Apple CVEs hit the CISA KEV this week — all actively exploited: CVE-2025-31277 (memory corruption) CVE-2025-43510 (DoS) CVE-2025-43520 (buffer overflow) iOS, macOS, watchOS, visionOS affected. Update everything. Today. #Apple #AppSec

    @cveriskpilot

    27 Mar 2026

    127 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. TRC analysis shows UNC6353 deployed the DarkSword exploit kit to chain iOS vulnerabilities CVE-2025-31277, CVE-2025-43510, and CVE-2025-43520. Attackers escaped sandboxes, escalated privileges, and moved laterally across compromised devices to steal cryptocurrency wallet

    @aviatrixtrc

    24 Mar 2026

    179 Impressions

    1 Retweet

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  6. 🚨 ⚠️ ATTENTION ALL IPHONE/IPAD USERS ⚠️🚨 Vulnerabilities: CVE-2025-31277, CVE-2025-43510, and CVE-2025-43520. How it works: This isn't just one bug; it's a "chain." A user visits a malicious website or opens a crafted file, and DarkSword uses these memory corrupti

    @SteveAJ777

    21 Mar 2026

    118 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. 🚨 ⚠️ ATTENTION ALL IPHONE/IPAD USERS ⚠️🚨 Vulnerabilities: CVE-2025-31277, CVE-2025-43510, and CVE-2025-43520. How it works: This isn't just one bug; it's a "chain." A user visits a malicious website or opens a crafted file, and DarkSword uses these memory corrupti

    @SteveAJ777

    21 Mar 2026

    14 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  8. 🚨 ⚠️ ATTENTION ALL IPHONE/IPAD USERS ⚠️🚨 Vulnerabilities: CVE-2025-31277, CVE-2025-43510, and CVE-2025-43520. How it works: This isn't just one bug; it's a "chain." A user visits a malicious website or opens a crafted file, and DarkSword uses these memory corrupti

    @SteveAJ777

    21 Mar 2026

    2 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  9. 🚨 Today CVE: CVE-2025-43520 That's the kind of thing people overlook. Buffer overflow in Apple everything. watchOS to macOS to the new Vision thing. Classic vulnerability. Classic scope.

    @EdgeDetectOps

    21 Mar 2026

    3 Impressions

    1 Retweet

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  10. 米国サイバーセキュリティ・社会基盤安全保障庁(CISA)が既知の悪用された脆弱性カタログに5件の脆弱性を追加。Apple社複数製品のCVE-2025-31277、CVE-2025-43510、CVE-2025-43520、Craft CMSのCVE-2025-32432、Laravel LivewireのCVE-202

    @__kokumoto

    21 Mar 2026

    891 Impressions

    0 Retweets

    5 Likes

    3 Bookmarks

    1 Reply

    0 Quotes

  11. Latest Known Exploited Vulnerabilities (#KEV) : #CVE-2025-43520 #Apple Multiple Products Classic Buffer Overflow Vulnerability https://t.co/LL2qfSTesF

    @ScyScan

    20 Mar 2026

    89 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  12. 🛡️ CVE-2025-43520: Desbordamiento de Buffer en Múltiples Productos Apple Explotado Activamente Análisis técnico de la vulnerabilidad CVE-2025-43520 en Apple watchOS, iOS y más. Impacto, productos afectados y recomendaciones de mitigación para profesionale https://t.co/p

    @CiberPlanetaOrg

    20 Mar 2026

    91 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  13. 🛡️ Alerta de Seguridad: Vulnerabilidad de Desbordamiento de Buffer Clásico en Múltiples Productos de Apple (CVE-2025-43520) Vulnerabilidad CWE-120 en watchOS, iOS, iPadOS, macOS, visionOS, tvOS permite a apps maliciosas causar terminación del sistema o escribir en memoria

    @CiberPlanetaOrg

    20 Mar 2026

    97 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  14. CVE Alert: CVE-2025-43520 - Apple - macOS - https://t.co/oBg69c2W3m #OSINT #ThreatIntel #CyberSecurity #cve-2025-43520 #apple #macos

    @RedPacketSec

    20 Mar 2026

    122 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  15. My analysis of CVE-2025-43520, the kernel vulnerability exploited by DarkSword (patched in 26.1): https://t.co/zj7HqahKYS

    @Muirey03

    20 Mar 2026

    20320 Impressions

    39 Retweets

    243 Likes

    122 Bookmarks

    2 Replies

    2 Quotes

  16. Russian 🇷🇺 UNC6353 deploys "DarkSword" iOS exploit kit targeting crypto wallets and personal data via watering hole attacks. Exploits CVE-2025-31277 through CVE-2025-43520 affecting iOS 18.4-18.7 devices. #DFIR_Radar https://t.co/Bv8ESL3HzZ

    @DFIR_Radar

    19 Mar 2026

    10 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

Configurations

Related CVEs

  1. A logging issue was addressed with improved data redaction. This issue is fixed in iOS 18.7.8 and iPadOS 18.7.8, iOS 26.4.2 and iPadOS 26.4.2. Notifications marked for deletion could be unexpectedly retained on the device.CVE-2026-28950
  2. In Splunk MCP Server app versions below 1.0.3 , a user who holds a role with access to the Splunk `_internal` index or possesses the high-privilege capability `mcp_tool_admin` could view users session and authorization tokens in clear text.<br><br>The vulnerability would require either local access to the log files or administrative access to internal indexes, which by default only the admin role receives. <br><br>Review roles and capabilities on your instance and restrict internal index access to administrator-level roles. See [Define roles on the Splunk platform with capabilities](https://docs.splunk.com/Documentation/Splunk/latest/Security/Rolesandcapabilities) and [Connecting to MCP Server and Admin settings](https://help.splunk.com/en/splunk-enterprise/mcp-server-for-splunk-platform/connecting-to-mcp-server-and-admin-settings) in the Splunk documentation for more information.CVE-2026-20205
  3. In Splunk Enterprise versions below 10.2.1, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.5, 10.2.2510.9, 10.1.2507.19, 10.0.2503.13, and 9.3.2411.127, a low-privileged user that does not hold the `admin` or `power` Splunk roles could potentially perform a Remote Code Execution (RCE) by uploading a malicious file to the `$SPLUNK_HOME/var/run/splunk/apptemp` directory due to improper handling and insufficient isolation of temporary files within the `apptemp` directory.CVE-2026-20204
  4. Insufficient granularity of access control in Microsoft Defender allows an authorized attacker to elevate privileges locally.CVE-2026-33825
  5. Microsoft Windows Protection Mechanism Failure VulnerabilityCVE-2026-32202

References

Sources include official advisories and independent security research.