CVE-2025-31200

CRITICAL KEV

Apple macOS < 15.4.1 - Memory Corruption via Malicious Audio Stream

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2025-31200 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added April 17, 2025. EIP tracks 4 public exploits from researchers including JGoyd, zhuowei, hunters-sec.

AI-analyzed exploit summary This repository documents a zero-click remote exploit chain affecting iOS 18.x, involving heap corruption in CoreAudio (CVE-2025-31200) and kernel privilege escalation via AppleBCMWLAN (CVE-2025-31201). The attack is delivered via a malformed MP4 audio file through iMessage, leading to kernel-level compromise and unauthorized signing operations.

Description

A memory corruption issue was addressed with improved bounds checking. This issue is fixed in iOS 18.4.1 and iPadOS 18.4.1, macOS Sequoia 15.4.1, tvOS 18.4.1, visionOS 2.4.1, watchOS 11.5. Processing an audio stream in a maliciously crafted media file may result in code execution. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS released before iOS 18.4.1.

Exploits (4)

nomisec WRITEUP 183 stars
by JGoyd · poc
https://github.com/JGoyd/iOS-Attack-Chain-CVE-2025-31200-CVE-2025-31201

This repository documents a zero-click remote exploit chain affecting iOS 18.x, involving heap corruption in CoreAudio (CVE-2025-31200) and kernel privilege escalation via AppleBCMWLAN (CVE-2025-31201). The attack is delivered via a malformed MP4 audio file through iMessage, leading to kernel-level compromise and unauthorized signing operations.

Classification
Writeup 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: iOS 18.4 and below
No auth needed
Prerequisites: iOS device running version 18.4 or below · iMessage delivery vector
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 117 stars
by zhuowei · poc
https://github.com/zhuowei/apple-positional-audio-codec-invalid-header

This PoC demonstrates an out-of-bounds read/write vulnerability in Apple's CoreAudio (CVE-2025-31200) by manipulating the mRemappingArray in APAC (Apple Positional Audio Codec) decoding, leading to memory corruption. The exploit requires building on macOS < 15.4.1 and uses LLDB hooks to trigger the vulnerability during audio playback.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Theoretical
Target: Apple CoreAudio (iOS 18.4.1, macOS 15.4.1, visionOS 2.2)
No auth needed
Prerequisites: macOS < 15.4.1 for building · LLDB for debugging · APAC-encoded audio file
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 11 stars
by hunters-sec · poc
https://github.com/hunters-sec/CVE-2025-31200

This repository contains a Python-based PoC for CVE-2025-31200, a buffer overflow in Apple's CoreAudio APAC decoder. The exploit generates a malicious APAC cookie with mismatched channel counts to trigger out-of-bounds memory access.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: Apple CoreAudio Framework (iOS < 18.4.1, macOS < 15.4.1)
No auth needed
Prerequisites: Python 3.x · numpy · construct · macOS for afconvert (optional)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP 1 stars
by serundengsapi · poc
https://github.com/serundengsapi/CVE-2025-31200-iOS-AudioConverter-RCE

This repository documents CVE-2025-31200, a zero-click RCE vulnerability in iOS 18.X's AudioConverterService, triggered via malicious audio files in iMessage/SMS. It includes a technical write-up but no exploit code.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Complex
Reliability
Theoretical
Target: Apple iOS 18.2.1, 18.3 Beta (AudioConverterService)
No auth needed
Prerequisites: Vulnerable iOS version (18.2.1 or 18.3 Beta) · Delivery mechanism (iMessage/SMS)
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (15)

Core 15
Core References
Release Notes, Vendor Advisory
https://support.apple.com/en-us/122282
Release Notes, Vendor Advisory
https://support.apple.com/en-us/122400
Release Notes, Vendor Advisory
https://support.apple.com/en-us/122401
Release Notes, Vendor Advisory
https://support.apple.com/en-us/122402
Mailing List, Third Party Advisory
http://seclists.org/fulldisclosure/2025/Apr/26
Mailing List, Third Party Advisory
http://seclists.org/fulldisclosure/2025/Jun/14
Mailing List, Third Party Advisory
http://seclists.org/fulldisclosure/2025/May/10
Mailing List, Third Party Advisory
http://seclists.org/fulldisclosure/2025/Oct/0
Mailing List, Third Party Advisory
http://seclists.org/fulldisclosure/2025/Oct/4

Scores

CVSS v3 9.8
EPSS 0.0170
EPSS Percentile 82.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2025-04-17
VulnCheck KEV 2025-04-16
ENISA EUVD EUVD-2025-11380
CWE
CWE-119
Status published
Products (11)
Apple/iOS and iPadOS < 18.4.1
apple/ipados < 18.4.1
apple/iphone_os < 18.4.1
apple/macos < 15.4.1
Apple/macOS < 15.4.1
apple/tvos < 18.4.1
Apple/tvOS < 18.4.1
apple/visionos < 2.4.1
Apple/visionOS < 2.4.1
apple/watchos < 11.5
... and 1 more
Published Apr 16, 2025
KEV Added Apr 17, 2025
Tracked Since Feb 18, 2026