🟢 CVE-2025-31200

Memory corruption vulnerability in Apple's media processing affecting iOS, macOS, visionOS, and tvOS. Exploitation requires users to process maliciously crafted media files. Apple reports active exploitation in targeted attacks.

← Back to Overview
LOW_RISK
Risk Level
7.1
CVSS Score
NETWORK
Attack Vector
Execution
ATT&CK Tactic
T1203 — Exploitation for Client Execution
ATT&CK Technique
VERY_LOW
Deployment Risk
No
Ransomware

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: USER_INTERACTION

CVE Published: 2025-04-16

Added to CISA KEV: 2025-04-17 1 DAY BETWEEN CVE AND KEV

🎯 Recommendations:

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2025-31200 is a critical memory corruption vulnerability within Apple’s CoreAudio framework, specifically identified as a buffer overflow in the Apple Positional Audio Codec (APAC) decoder [4].

Exploitation and Threat Actor Usage
  • Active Exploitation: Apple acknowledged that this vulnerability was exploited in the wild in highly targeted, sophisticated attacks against specific individuals [1] [7].
  • Targeted Nature: There is no evidence suggesting this was used in widespread ransomware campaigns; rather, it was utilized in targeted, high-stakes operations [1] [7].
  • Exploit Availability: While technical analysis and proof-of-concept chains (often involving CVE-2025-31201) have been discussed and documented by security researchers, this was a zero-day exploit used by sophisticated actors [2] [8].
Attack Method and Requirements
  • Method: The vulnerability is triggered by processing a maliciously crafted audio file [1].
  • User Interaction: It has been described as a "zero-click" exploit, meaning it can be triggered without the victim needing to interact with the malicious content (e.g., via iMessage/SMS) [3] [8].
  • Access/Impact: Successful exploitation allows for arbitrary code execution with the privileges of the audio processing component [5]. When chained with other vulnerabilities (such as CVE-2025-31201), it has been used to achieve kernel-level compromise [2].
Affected Products and Mitigation
This vulnerability was addressed by Apple in April 2025. Users should ensure their devices are updated to at least the following versions:
ProductFixed Version
iOS18.4.1
iPadOS18.4.1
macOS Sequoia15.4.1
tvOS18.4.1
visionOS2.4.1

*Sources: [6] [7]*

Sources

  1. CVE-2025-31200 Deep Dive: Apple CoreAudio Memory Corruption ...

    Affected systems and fixed versions ; iOS, 18.4.1 (Apple Support) ; iPadOS, 18.4.1 (Apple Support) ; macOS Sequoia, 15.4.1 (NVD) ; tvOS, 18.4.1 (NVD). ... CVE-2025-31200 is a CoreAudio memory corruption vulnerability that can lead to code execution when processing a maliciously crafted media file, a…

  2. GitHub - JGoyd/iOS-Attack-Chain-CVE-2025-31200-CVE-2025-31201...

    CVE assignments: CVE-2025-31200 and CVE-2025-31201. CISA KEV listing (both CVEs): Apr 16, 2025 — federal patch deadline May 8, 2025. Apple acknowledged SSV persistence (CVE-2026-20700): Feb 11, 2026 (iOS 26.3). BCM4387 coexistence SRAM submitted to Broadcom PSIRT: Mar 2026 — no CVE assigned, no patc…

  3. iOS-Attack-Chain-CVE-2025-31200-CVE-2025-31201/README.md at ... - GitHub

    CVE-2025-31200 is a zero-day, zero-click RCE in iOS CoreAudio’s AudioConverterService, triggered by a malicious audio file via iMessage/SMS. Exploitation bypassed Blastdoor, enabled kernel escalati...

  4. GitHub - hunters-sec/CVE-2025-31200: IOS audio buffer overflow...

    CVE-2025-31200 is a buffer overflow vulnerability in Apple's CoreAudio framework affecting the Apple Positional Audio Codec (APAC) decoder. The bug exists in the APACChannelRemapper::Process function within APACHOADecoder::DecodeAPACFrame. Affected Systems: iOS < 18.4.1. macOS < 15.4.1. All Apple de…

  5. CVE-2025-31200 - Vulnerability Details - OpenCVE

    A memory corruption flaw in the audio stream processor allows a crafted audio file to trigger arbitrary code execution when processed. The defect stems from insufficient bounds checking and is classified under CWE‑119. Successful exploitation would enable an attacker to run code with the privileges…

  6. CVE-2025-31200 Detail - NVD

    Description. A memory corruption issue was addressed with improved bounds checking. This issue is fixed in iOS 18.4.1 and iPadOS 18.4.1, macOS Sequoia ... CVE-2025-31200 Detail. Description. A memory corruption issue was addressed with improved bounds checking. This issue is fixed in tvOS 18.4.1, vi…

  7. A memory corruption issue was addressed with improved...

    Affected versions.This issue is fixed in tvOS 18.4.1, visionOS 2.4.1, iOS iOS 18.4.1 and iPadOS 18.4.1, macOS Sequoia 15.4.1. Processing an audio stream in a maliciously crafted media file may result in code execution. Apple is aware of a report that this issue may have been exploited in an extremel…

  8. CVE‑2025‑31200 / CVE‑2025‑31201 — Zero‑Click ... - GitHub

    Reporter: Joseph Goydish II Date: 2025‑11‑22 Submission Type: Enrichment Request (Impact Expansion + Exploit Chain Clarification) ⸻ 1. Overview This enrichment submission documents a confirmed zero‑click, remote exploitation chain affecting Apple platforms, involving: • CVE‑2025‑31200 — CoreAudio AA…

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

📄 Download JSON Data | 📡 RSS Feed