About the security content of tvOS 18.3

This document describes the security content of tvOS 18.3.

About Apple security updates

For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security releases page.

Apple security documents reference vulnerabilities by CVE-ID when possible.

For more information about security, see the Apple Product Security page.

tvOS 18.3

AirPlay

Available for: Apple TV HD and Apple TV 4K (all models)

Impact: An attacker on the local network may be able to cause a denial-of-service

Description: A null pointer dereference was addressed with improved input validation.

CVE-2025-24179: Uri Katz (Oligo Security)

AirPlay

Available for: Apple TV HD and Apple TV 4K (all models)

Impact: An attacker on the local network may be able to corrupt process memory

Description: An input validation issue was addressed.

CVE-2025-24126: Uri Katz (Oligo Security)

AirPlay

Available for: Apple TV HD and Apple TV 4K (all models)

Impact: An attacker on the local network may cause an unexpected app termination

Description: A type confusion issue was addressed with improved checks.

CVE-2025-24129: Uri Katz (Oligo Security)

AirPlay

Available for: Apple TV HD and Apple TV 4K (all models)

Impact: An attacker on the local network may be able to cause a denial-of-service

Description: The issue was addressed with improved memory handling.

CVE-2025-24131: Uri Katz (Oligo Security)

AirPlay

Available for: Apple TV HD and Apple TV 4K (all models)

Impact: An attacker on the local network may corrupt process memory

Description: A type confusion issue was addressed with improved checks.

CVE-2025-24137: Uri Katz (Oligo Security)

ARKit

Available for: Apple TV HD and Apple TV 4K (all models)

Impact: Parsing a file may lead to an unexpected app termination

Description: The issue was addressed with improved checks.

CVE-2025-24127: Minghao Lin (@Y1nKoc), babywu, and Xingwei Lin of Zhejiang University

CoreAudio

Available for: Apple TV HD and Apple TV 4K (all models)

Impact: Parsing a file may lead to an unexpected app termination

Description: The issue was addressed with improved checks.

CVE-2025-24160: Google Threat Analysis Group

CVE-2025-24161: Google Threat Analysis Group

CVE-2025-24163: Google Threat Analysis Group

CoreMedia

Available for: Apple TV HD and Apple TV 4K (all models)

Impact: Parsing a file may lead to an unexpected app termination

Description: The issue was addressed with improved checks.

CVE-2025-24123: Desmond working with Trend Micro Zero Day Initiative

CVE-2025-24124: Pwn2car & Rotiple (HyeongSeok Jang) working with Trend Micro Zero Day Initiative

CoreMedia

Available for: Apple TV HD and Apple TV 4K (all models)

Impact: A malicious application may be able to elevate privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 17.2.

Description: A use after free issue was addressed with improved memory management.

CVE-2025-24085

CoreMedia Playback

Available for: Apple TV HD and Apple TV 4K (all models)

Impact: An app may be able to cause unexpected system termination

Description: The issue was addressed with improved memory handling.

CVE-2025-24184: Song Hyun Bae (@bshyuunn) and Lee Dong Ha (Who4mI)

Display

Available for: Apple TV HD and Apple TV 4K (all models)

Impact: An app may be able to cause unexpected system termination

Description: A memory corruption issue was addressed with improved state management.

CVE-2025-24111: Wang Yu of Cyberserval

ImageIO

Available for: Apple TV HD and Apple TV 4K (all models)

Impact: Processing an image may lead to a denial-of-service

Description: The issue was addressed with improved memory handling.

CVE-2025-24086: DongJun Kim (@smlijun) and JongSeong Kim (@nevul37) in Enki WhiteHat, D4m0n

Kernel

Available for: Apple TV HD and Apple TV 4K (all models)

Impact: An app may be able to leak sensitive kernel state

Description: An information disclosure issue was addressed by removing the vulnerable code.

CVE-2025-24144: Mateusz Krzywicki (@krzywix)

Kernel

Available for: Apple TV HD and Apple TV 4K (all models)

Impact: A malicious app may be able to gain root privileges

Description: A permissions issue was addressed with additional restrictions.

CVE-2025-24107: an anonymous researcher

Kernel

Available for: Apple TV HD and Apple TV 4K (all models)

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A validation issue was addressed with improved logic.

CVE-2025-24159: pattern-f (@pattern_F_)

libxslt

Available for: Apple TV HD and Apple TV 4K (all models)

Impact: Processing maliciously crafted web content may lead to an unexpected process crash

Description: This is a vulnerability in open source code and Apple Software is among the affected projects. The CVE-ID was assigned by a third party. Learn more about the issue and CVE-ID at cve.org.

CVE-2024-55549: Ivan Fratric of Google Project Zero

CVE-2025-24855: Ivan Fratric of Google Project Zero

PackageKit

Available for: Apple TV HD and Apple TV 4K (all models)

Impact: An app may be able to modify protected parts of the file system

Description: A permissions issue was addressed with additional restrictions.

CVE-2025-31262: Mickey Jin (@patch1t)

SceneKit

Available for: Apple TV HD and Apple TV 4K (all models)

Impact: Parsing a file may lead to disclosure of user information

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2025-24149: Michael DePlante (@izobashi) of Trend Micro Zero Day Initiative

WebKit

Available for: Apple TV HD and Apple TV 4K (all models)

Impact: Processing maliciously crafted web content may lead to memory corruption

Description: The issue was addressed with improved checks.

CVE-2025-24189: an anonymous researcher

WebKit

Available for: Apple TV HD and Apple TV 4K (all models)

Impact: Processing web content may lead to a denial-of-service

Description: The issue was addressed with improved memory handling.

CVE-2025-24158: Q1IQ (@q1iqF) of NUS CuriOSity and P1umer (@p1umer) of Imperial Global Singapore.

WebKit

Available for: Apple TV HD and Apple TV 4K (all models)

Impact: Processing maliciously crafted web content may lead to an unexpected process crash

Description: This issue was addressed through improved state management.

CVE-2025-24162: linjy of HKUS3Lab and chluo of WHUSecLab

Additional recognition

Audio

We would like to acknowledge Google Threat Analysis Group for their assistance.

CoreAudio

We would like to acknowledge Google Threat Analysis Group for their assistance.

iCloud

We would like to acknowledge Abhay Kailasia (@abhay_kailasia) of Lakshmi Narain College of Technology Bhopal India, George Kovaios, Srijan Poudel for their assistance.

Passwords

We would like to acknowledge Talal Haj Bakry and Tommy Mysk of Mysk Inc. @mysk_co for their assistance.

Static Linker

We would like to acknowledge Holger Fuhrmannek for their assistance.