A critical zero-click remote code execution vulnerability in Apple’s iOS has been disclosed with a working proof-of-concept exploit, marking another significant security flaw in the company’s image processing capabilities.
The vulnerability, tracked as CVE-2025-43300, affects Apple’s implementation of JPEG Lossless Decompression code used within Adobe’s DNG (Digital Negative) file format processing.
The Vulnerability Details
Security researcher b1n4r1b01 has published detailed technical analysis and reproduction steps for this zero-day exploit, which targets iOS 18.6.1 devices through maliciously crafted DNG image files.
The vulnerability resides in Apple’s RawCamera.bundle, a component responsible for processing various raw image formats including Adobe’s DNG specification.
The core issue stems from a mismatch between metadata declarations and actual data content within DNG files.
Specifically, the vulnerability is triggered when a DNG file declares it contains 2 samples per pixel in its SubIFD metadata (SamplesPerPixel = 2) while the embedded JPEG Lossless data contains only 1 component in its SOF3 (Start of Frame 3) marker.
This inconsistency causes the decompression routine to perform an out-of-bounds write, potentially allowing attackers to execute arbitrary code.
The proof-of-concept exploit demonstrates a sophisticated understanding of both TIFF and JPEG file format specifications. The researcher modified specific bytes in a legitimate DNG file from a Pentax K-3 Mark III sample gallery:
- Offset 0x2FD00: Changed from 0x01 to 0x02 (modifying SamplesPerPixel metadata)
- Offset 0x3E40B: Changed from 0x02 to 0x01 (altering SOF3 component count)
These minimal modifications create the precise conditions needed to trigger the vulnerability during automatic image preview generation.
The exploit can be delivered through various vectors including AirDrop, iMessage, or email attachments, making it particularly dangerous as it requires no user interaction beyond receiving the malicious file.
Technical Impact and Scope
What makes CVE-2025-43300 particularly concerning is its zero-click nature. iOS automatically processes DNG files when generating previews, meaning devices can be compromised simply by receiving a malicious image file.
The vulnerability affects iOS 18.6.1 and potentially earlier versions, though the researcher notes that iOS 18.6.2 appears to have addressed the issue.
The RawCamera.bundle component has been stripped of debugging symbols, making reverse engineering challenging but not impossible.
This deliberate obfuscation suggests Apple recognizes the sensitive nature of this code path, yet it still contained a critical vulnerability that escaped detection during development and testing.
Following the disclosure, security researcher Matt Suiche developed ELEGANT BOUNCER, an open-source Rust-based detection tool specifically designed to identify CVE-2025-43300 exploitation attempts. The tool implements a sophisticated algorithm that:
- Parses TIFF/DNG file structures with proper endianness handling
- Identifies SubIFDs containing JPEG Lossless compressed data
- Validates consistency between metadata declarations and actual JPEG data
- Flags files exhibiting the specific mismatch conditions that trigger the vulnerability
Apple has reportedly addressed this vulnerability in iOS 18.6.2, though the company has not issued an official security advisory at the time of this analysis.
The lack of formal communication from Apple regarding this zero-day is concerning, particularly given the severity and the availability of working exploit code.
Organizations and security professionals are advised to:
- Immediately update all iOS devices to version 18.6.2 or later when available
- Implement file validation before processing DNG files in custom applications
- Deploy detection tools like ELEGANT BOUNCER to identify potential exploitation attempts
- Consider disabling automatic image preview for untrusted sources where possible
CVE-2025-43300 represents a continuation of Apple’s ongoing challenges with image processing security.
The vulnerability highlights how the complexity of modern file formats, particularly when multiple standards interact (TIFF containers with JPEG data), can create unexpected attack surfaces.
This disclosure also underscores the critical importance of defense-in-depth strategies and the value of independent security research in identifying vulnerabilities that may have been missed during vendor testing processes.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
Source link
