Apple has released critical security updates to patch a newly disclosed vulnerability in its Font Parser component, tracked as CVE-2025-43400. The flaw, classified as an out-of-bounds write issue, affects both the latest operating systems, including macOS Tahoe and iOS 26, as well as several older versions. This vulnerability could allow a specially crafted font embedded in a document, webpage, or email to trigger unsafe memory operations, leading to application crashes or process memory corruption. Although Apple has confirmed the issue, there are currently no reports of active exploitation in the wild.

The vulnerability arises from improper memory bounds handling in Font Parser, which may permit a program to write data beyond the allocated buffer. Such flaws can cause unpredictable behavior and, in more severe cases, open the door to arbitrary code execution. While Apple’s advisory does not confirm that remote code execution is possible, it does highlight risks of denial-of-service attacks and system instability, making this a high-priority concern for users across Apple’s ecosystem.

Apple addressed the issue by implementing stricter bounds checking to ensure memory integrity when handling font data. The fix has been rolled out across multiple platforms, underscoring the interconnected nature of Apple’s software codebase. The patched versions include iOS & iPadOS 26.0.1, iOS & iPadOS 18.7.1, macOS Tahoe 26.0.1, macOS Sequoia 15.7.1, macOS Sonoma 14.8.1, and visionOS 26.0.1. However, updates to watchOS and tvOS did not address this particular vulnerability, indicating that their respective versions are unaffected.

Given the broad impact of CVE-2025-43400, users are strongly advised to update their devices immediately to the latest patched versions. Even though no active exploitation has been observed, vulnerabilities in widely used components like Font Parser are attractive targets for attackers due to their potential reach and reliability. Applying Apple’s security patches is the most effective way to mitigate the risk of application crashes, denial-of-service attacks, and potential memory corruption scenarios that could escalate into more severe threats.