Critical Security Flaws in visionOS 26 Fixed as Apple Patches 18 Vulnerabilities

Apple has released visionOS 26, addressing eighteen security flaws across the Apple Vision Pro platform that could have allowed unauthorized access to sensitive user data.

Issued on September 15, 2025, the update covers a broad spectrum of components—ranging from the file integrity subsystem to WebKit—fortifying sandbox boundaries, improving input validation, and closing memory corruption gaps.

Users and organizations are strongly encouraged to install visionOS 26 immediately to safeguard Vision Pro devices against potential attacks.

Critical File Integrity and Bluetooth Controls

One of the most serious patches targets the AppleMobileFileIntegrity component, where a permissions issue could have enabled malicious apps to read or modify protected files.

visionOS 26 enforces stricter access controls and expands sandbox boundaries to prevent apps from overstepping their permitted file system areas.

Two Bluetooth-related vulnerabilities, CVE-2025-43354 and CVE-2025-43303, dealt with logging and data exposure risks.

By strengthening data redaction and refining event filtering, Apple ensures that Bluetooth activity cannot be exploited to leak user data or bypass privacy safeguards.

Media Processing and WebKit Hardening

visionOS 26 also addresses several flaws in media and audio processing that could trigger unexpected crashes or permit out-of-bounds memory access.

An out-of-bounds read in the Audio subsystem (CVE-2025-43346) and an out-of-bounds write in the CoreAudio video processor (CVE-2025-43349) have been mitigated through enhanced bounds checking.

CoreMedia’s file handling vulnerability (CVE-2025-43372) now employs rigorous input validation to stop malformed media from corrupting memory.

The update integrates an upstream fix for SQLite (CVE-2025-6965) to prevent memory corruption during database reads.

WebKit, a frequent target for exploitation, receives six patches (CVE-2025-43356, CVE-2025-43272, CVE-2025-43343, CVE-2025-43342, plus two more) that close loopholes permitting crafted web content to access sensor data or crash Safari and related processes.

Apple improved cache handling, memory management, and correctness checks to ensure web content cannot subvert user privacy or stability.

Kernel, Disk Arbitration, and System Component Updates

The kernel update (CVE-2025-43359) fixes a logic error that could expose a UDP server socket to all network interfaces, reinforcing state management to bind sockets only to intended interfaces.

In the DiskArbitration framework, CVE-2025-43316 introduces additional permission checks to thwart privilege escalation attempts.

An out-of-bounds write in the IOHIDFamily module (CVE-2025-43302) has been patched with robust memory validation to prevent invalid writes and system crashes.

The MobileStorageMounter type confusion bug (CVE-2025-43355) now uses safer memory handling routines to eliminate denial-of-service vectors.

Finally, a vulnerable code path in the System component (CVE-2025-43347) has been removed entirely, eradicating a potential invalid-input acceptance point.

Apple’s security release credits researchers, including Mickey Jin, Hossein Lotfi, and Csaba Fit, for their contributions.

As per Apple’s policy, these issues were confirmed only after patches were available, and the full list of updates can be found on the Apple security releases page.

Installing visionOS 26 ensures Vision Pro devices remain protected against these eighteen vulnerabilities and maintains user data integrity and privacy.

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates

The post Critical Security Flaws in visionOS 26 Fixed as Apple Patches 18 Vulnerabilities appeared first on Cyber Security News.