CoreAudio memory corruption in Apple multiple products
CVE-2025-31200 is a memory corruption vulnerability in Apple's CoreAudio component affecting iOS, iPadOS, macOS, tvOS, and visionOS. Apple states that processing an audio stream in a maliciously crafted media file may result in code execution. The issue was addressed through improved bounds checking, indicating an out-of-bounds memory access condition during audio stream handling. Apple reported that the flaw may have been exploited in an extremely sophisticated attack against specific targeted individuals on iOS.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
2 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos (2 hidden).
This repository is a proof-of-concept (POC) exploit for CVE-2025-31200, a buffer overflow in Apple's CoreAudio APAC decoder affecting iOS < 18.4.1 and macOS < 15.4.1. The exploit works by generating a malicious APAC audio cookie with mismatched channel counts (global: 4, remapping: 64), which is embedded into an audio file (MP4/M4A). When a vulnerable system processes this file (e.g., via AVAudioPlayer, browser, or email client), it triggers out-of-bounds memory access in the APACChannelRemapper::Process function, causing a crash and potential memory corruption. The repository contains Python scripts for generating the exploit payload (poc.py), creating and verifying malicious audio files (generate_audio.py, create_malicious_mp4.py, test_exploit.py), and utility modules for manipulating APAC cookies (caf_utils.py, parser.py). The exploit is primarily a Denial of Service but could be extended for code execution with advanced payloads. No network endpoints are present; the attack is delivered via crafted media files.
This repository is a proof-of-concept (POC) exploit for CVE-2025-31200, a vulnerability in Apple's CoreAudio APAC (Apple Positional Audio Codec) decoder affecting macOS (<15.4.1) and iOS (<18.4.1). The exploit demonstrates how a mismatch between the channel layout tag and the remapping array in the APAC/HOA decoder can lead to out-of-bounds reads and writes, potentially allowing for memory corruption. The repository contains: - 'encodeme.mm': The main exploit code, which crafts a malformed APAC audio file by manipulating the channel layout and remapping array. - 'build_encodeme.sh' and 'run_encodeme.sh': Scripts to build and run the exploit, the latter using LLDB to inject further memory manipulation at runtime. - 'check-mismatch.lldb' and 'run_encodeme_hook.lldb': LLDB scripts to set breakpoints and observe/control the memory state during exploitation. - 'convertme2.swift' and 'getaudiolength.swift': Swift utilities for converting audio and checking file properties. - 'apac.ksy': Kaitai Struct definition for the APAC format, useful for understanding and manipulating the binary structure of APAC files. The exploit is not fully weaponized; it is a research POC that demonstrates the bug and provides a controlled (but not fully arbitrary) write. It requires manual steps and a vulnerable system. No network endpoints are involved; the attack vector is local, requiring the ability to run code and debug on the target system.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
77 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An Apple Core Audio memory corruption vulnerability that can allow code execution when processing audio; reported actively exploited in targeted attacks.
An Apple zero-day vulnerability referenced as exploited in the wild in 2025 (no additional technical details provided in the content).
A code execution vulnerability in CoreAudio, triggered by processing a maliciously crafted media file. It has been exploited in sophisticated targeted attacks against specific individuals on iOS versions before 18.4.1.
A memory corruption vulnerability in the Core Audio framework of Apple iOS, iPadOS, macOS Sequoia, tvOS, and visionOS, actively exploited in sophisticated targeted attacks.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.