The use-after-free flaw allows privilege escalation in affected media applications running on Apple’s Core Media framework.

Apple addresses a zero-day flaw (CVE-2025-24085) and fixes 9 vulnerabilities in iOS 18.3, macOS Sequoia 15.3, and more.

As part of this batch of software updates, Apple also released several patches fixing security bugs, including a zero-day bug that “may have been actively exploited” — meaning hackers were using it to compromise devices — against users with iPhones running software older than iOS 17.2, which was released in December 2023.

The first zero-day of 2025 found in Apple products has been patched. Apple has released a patch for its first zero-day of 2025, fixing CVE-2025-24085, a use-after-free flaw affecting the CoreMedia component.

Apple has released critical software updates across its ecosystem to patch multiple security vulnerabilities, including an actively exploited zero-day flaw, CVE-2025-24085. This use-after-free bug in the Core Media component could allow malicious applications to gain elevated privileges.

The vulnerability has also prompted Apple to issue patches for macOS Sequoia and even the company's Vision Pro headset.

Apple has fixed a privilege escalation flaw in its Core Media framework that was used by hackers to attack iPhones running older versions of iOS.