Apple has rolled out a series of important security updates across multiple platforms, addressing a vulnerability affecting the system font parser. These Apple security updates cover iOS, iPadOS, macOS, visionOS, watchOS, and tvOS.
The central issue targeted by these updates is an out-of-bounds write flaw in Apple’s font parser, tracked under the identifier CVE-2025-43400. This vulnerability could allow a maliciously crafted font to cause unexpected app termination or corrupt process memory on affected devices.
While there have been no reported cases of active exploitation, security experts warn that such a flaw could be exploited in combination with other vulnerabilities to enable remote code execution.
Apple Security Updates: Platforms Affected
The security update was released for a wide range of Apple devices, including:
- iOS 26.0.1 and iPadOS 26.0.1 for iPhone 11 and later models, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later.
- iOS 18.7.1 and iPadOS 18.7.1 covering iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later.
- macOS Tahoe 26.0.1, macOS Sequoia 15.7.1, and macOS Sonoma 14.8.1 for various Mac models.
- visionOS 26.0.1 for Apple Vision Pro.
- watchOS 26.0.2 for Apple Watch Series 6 and later.
- tvOS 26.0.1 for Apple TV HD and Apple TV 4K models.
Details of the Apple Fix
The vulnerability stems from insufficient bounds checking within the font parser component, which could be triggered by processing a specially crafted font file. The patch, delivered as part of the Apple security update on September 29, 2025, strengthens bounds checking to prevent out-of-bounds memory access and the resulting instability.
This fix is uniformly applied across all affected operating systems, ensuring consistent protection whether the user is on iOS, iPadOS, macOS, or visionOS. For watchOS and tvOS, updates were also issued, though no specific Common Vulnerabilities and Exposures (CVE) entries were published for these platforms in this update cycle.
Why The Update Matters
Font parser vulnerabilities have historically posed serious security risks, as font files are often processed automatically by systems and applications, potentially providing a stealthy attack vector. By addressing this flaw promptly, Apple mitigates the risk of memory corruption attacks that could otherwise destabilize apps or lead to more severe security breaches.
Update Availability and Installation
All of these updates became available simultaneously on September 29, 2025. Apple users who have automatic updates enabled will receive the patches without needing to intervene. Those managing updates manually should navigate to System Settings > General > Software Update on their devices to download and install the latest versions, including macOS Sequoia 15.7.1 and the respective iOS and iPadOS releases.
Final Note
Apple has not indicated any additional required user actions beyond applying the updates. As always, users are encouraged to stay current with Apple security updates to maintain optimal protection against vulnerabilities. This round of patches highlights the ongoing importance of timely software maintenance within the Apple ecosystem, especially for users of iOS, iPadOS, and macOS devices.
