CVE-2025-43537

Published Feb 11, 2026

Last updated a month ago

CVSS medium 5.5

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-43537 refers to a vulnerability found in LibHTP, a security-aware parser for the HTTP protocol, affecting versions 0.5.50 and below. This vulnerability is characterized by a traffic-induced memory leak. The technical assessment indicates that this is a CWE-401 (Missing Release of Memory after Effective Lifetime) issue, where the application fails to properly release allocated memory after its effective lifetime. The memory leak can progressively consume system resources, potentially leading to resource starvation and a loss of visibility in the affected system. A patch has been released in version 0.5.51 to address the memory leak. As a workaround, users who cannot immediately update can set `suricata.yaml app-layer.protocols.http.libhtp.default-config.lzma-enabled` to false.

Description
A path handling issue was addressed with improved validation. This issue is fixed in iOS 18.7.5 and iPadOS 18.7.5, iOS 26.2 and iPadOS 26.2. Restoring a maliciously crafted backup file may lead to modification of protected system files.
Source
product-security@apple.com
NVD status
Modified
Products
ipados, iphone_os

Risk scores

CVSS 3.1

Type
Primary
Base score
5.5
Impact score
3.6
Exploitability score
1.8
Vector string
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Severity
MEDIUM

Weaknesses

nvd@nist.gov
NVD-CWE-noinfo
134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE-22

Social media

Hype score
Not currently trending

  1. CVE-2025-43537 A path handling issue was addressed with improved validation. This issue is fixed in iOS 18.7.5 and iPadOS 18.7.5. Restoring a maliciously crafted backup file may lea… https://t.co/LbXww9Zdqw

    @CVEnew

    12 Feb 2026

    475 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. CVE-2025-43537 ⏳

    @hichem_ifpdz

    3 Dec 2025

    5366 Impressions

    2 Retweets

    23 Likes

    8 Bookmarks

    8 Replies

    1 Quote

Configurations

Related CVEs

  1. A logging issue was addressed with improved data redaction. This issue is fixed in iOS 18.7.8 and iPadOS 18.7.8, iOS 26.4.2 and iPadOS 26.4.2. Notifications marked for deletion could be unexpectedly retained on the device.CVE-2026-28950
  2. An out-of-bounds access issue was addressed with improved bounds checking. This issue is fixed in iOS 18.6 and iPadOS 18.6, iPadOS 17.7.9, macOS Sequoia 15.6, macOS Sonoma 14.7.7, macOS Ventura 13.7.7, tvOS 18.6, visionOS 2.6, watchOS 11.6. Processing a maliciously crafted media file may lead to unexpected app termination or corrupt process memory.CVE-2025-43210
  3. This issue was addressed with improved memory handling. This issue is fixed in iOS 18.6 and iPadOS 18.6, macOS Sequoia 15.6. Processing a file may lead to memory corruption.CVE-2025-43202
  4. The issue was addressed with improved checks. This issue is fixed in iOS 26.4 and iPadOS 26.4. An attacker with physical access to an iOS device with Stolen Device Protection enabled may be able to access biometrics-gated Protected Apps with the passcode.CVE-2026-28895
  5. A denial-of-service issue was addressed with improved input validation. This issue is fixed in iOS 26.4 and iPadOS 26.4, macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4. A remote attacker may be able to cause a denial-of-service.CVE-2026-28894

References

Sources include official advisories and independent security research.