A critical zero-click remote code execution (RCE) vulnerability, identified as CVE-2025-43300, has been discovered within Apple’s image processing infrastructure. This flaw resides in the JPEG Lossless Decompression component of the RawCamera.bundle, a core part of Apple’s operating systems responsible for handling various image formats. The vulnerability allows attackers to execute arbitrary code on affected devices without any user interaction, simply by sending a maliciously crafted Digital Negative (DNG) file.
Understanding the Vulnerability
The root cause of CVE-2025-43300 lies in a buffer overflow condition within the JPEG lossless decompression routine. Specifically, the flaw is triggered when a DNG file declares a `SamplesPerPixel` value of 2 in its SubIFD directory but contains only one component in the SOF3 (Start of Frame 3) block of the embedded JPEG lossless data. This discrepancy leads to an out-of-bounds write during the decompression process, enabling attackers to corrupt memory and potentially achieve arbitrary code execution.
Exploitation Details
Exploiting this vulnerability requires minimal modifications to a legitimate DNG file. An attacker needs to alter just two specific bytes:
1. Change the byte at offset 0x2FD00 from 01 to 02, modifying the `SamplesPerPixel` value.
2. Change the byte at offset 0x3E40B from 02 to 01, altering the SOF3 component count.
These precise changes create the critical mismatch that triggers the vulnerability. Given the simplicity of this modification, the exploit is particularly dangerous, as it can be easily weaponized.
Technical Analysis
The vulnerability exploits fundamental assumptions in Apple’s TIFF/DNG parsing engine and its interaction with JPEG lossless compression. DNG files, based on Adobe’s open-source raw image format specification, utilize the TIFF container structure with embedded JPEG lossless compressed image data in SubIFDs.
The attack leverages the complex interaction between multiple file format standards. The TIFF header structure contains an Image File Directory (IFD) with 12-byte directory entries specifying tags, types, counts, and values. The vulnerability specifically targets the `SamplesPerPixel` tag (0x0115) within SubIFDs that reference JPEG lossless compressed data marked with the Compression tag value 7.
When the decompression routine processes the JPEG data, it relies on the SOF3 marker (0xFFC3) to determine the actual component structure. The SOF3 segment contains critical metadata, including precision, dimensions, and most importantly, the component count. The vulnerability occurs when this component count disagrees with the previously declared `SamplesPerPixel` value, causing the decompression algorithm to write beyond allocated buffer boundaries.
Affected Devices and Impact
The vulnerability affects multiple Apple platforms, including:
– iOS 18.6.1 and earlier
– iPadOS 18.6.1 and earlier
– macOS Sequoia 15.6.0 and earlier
– macOS Sonoma 14.7.7 and earlier
– macOS Ventura 13.7.7 and earlier
– iPadOS 17.7.9 and earlier
The impact of this vulnerability is severe, with a CVSS 3.1 score of 9.8, categorizing it as critical. The zero-click nature of the exploit means that no user interaction is required; merely receiving a malicious DNG file through channels like iMessage, AirDrop, or photo import can trigger the vulnerability.
Real-World Exploitation
Apple’s security advisory acknowledges that CVE-2025-43300 has been actively exploited in sophisticated attacks targeting specific individuals. This elevates the vulnerability from a theoretical risk to a confirmed tool used by threat actors. The zero-click nature makes it particularly attractive for targeted surveillance operations, as victims require no interaction beyond receiving the malicious file.
Mitigation and Recommendations
Apple has released patches addressing this vulnerability in the following versions:
– iOS 18.6.2
– iPadOS 18.6.2
– macOS Sequoia 15.6.1
– macOS Sonoma 14.7.8
– macOS Ventura 13.7.8
– iPadOS 17.7.10
Users are strongly advised to update their devices immediately to these versions or later to mitigate the risk. Additionally, organizations should implement detection mechanisms to identify potential exploitation attempts targeting this critical vulnerability.
Conclusion
The discovery of CVE-2025-43300 underscores the importance of robust security practices and prompt patching. The zero-click nature of this exploit highlights the evolving sophistication of cyber threats and the need for continuous vigilance in the cybersecurity landscape.
