Apple has pushed the first security update for its latest iPhone operating system, iOS 26, fixing a single, medium-severity vulnerability, assigned designation CVE-2025-43400, affecting Apple FontParser, a component in Apple operating systems that enables font processing.
“FontParser is the system that interprets font files, so characters can be interpreted across applications, documents and the web,” said Sylvain Cortes, vice-president of strategy at Hackuity, a security exposure management specialist. “As these files are often loaded automatically from documents, emails or websites, vulnerabilities here are high risk,” he explained.
CVE-2025-43400 is an out-of-bounds write issue which is exploited when a vulnerable device processes a maliciously crafted font hidden in an otherwise seemingly benign piece of content. Affected devices may experience unexpected behaviours such as sudden app termination or process memory corruption.
While app crashes are more often annoying than risky, process memory corruption is particularly dangerous as, given the right circumstances, it can form an element of an attack chain by leading to behaviour that can enable an attacker to gain unauthorised system access, exfiltrate data, or even remote code execution (RCE) further down the line.
According to Johannes Ullrich of the SANS Technology Institute, it is unclear if CVE-2025-43400 is exploitable for RCE, however, there remains a chance that successful exploitation of CVE-2025-43400 may result in ransomware attacks.
In a typically bare-bones announcement – Apple does not offer much detail on vulnerabilities in its mobile products lest they be exploited to target its vast user base – the supplier gave no indication as to whether or not CVE-2025-43400 is being exploited in the wild.
Historically, many security vulnerabilities uncovered in Apple’s mobile operating system have had significant impacts, with many being weaponised in targeted espionage and surveillance activities by spyware-makers and unsavoury governments.
“Although no active exploitation has been observed in the wild, users and enterprises should immediately apply the latest updates across all Apple devices to minimise exposure to attacks,” said Cortes.
Adam Boynton, senior security strategy manager for EMEIA at Apple device management specialist Jamf, echoed this sentiment and urged security managers not to be lulled into a false sense of complacency.
“Because the issue has the potential to cause service disruptions or undermine system stability, we strongly recommend updating to iOS 26.0.1 at your earliest convenience,” he said. “Organisations should ensure fleet devices are kept current, enforce compliance, and monitor for OS update roll-out status.”
The update takes iOS 26 to version 26.0.1 and, as usual, users whose devices have not automatically applied it can find it by navigating to their device Settings, followed by General, Software Update, and Download and Install.
CVE-2025-43400 is also fixed in iOS 18.7.1, iPadOS 26.0.1 and 18.7.1, macOS Sequoia 15.7.1, macOS Sonoma 14.8.1, macOS Tahoe 26.01.1, and visionOS 26.0.1.
Benign bugs
Apple dropped iOS 26 on 15 September 2025, and besides the security fix, the new update also addresses some rather more benign, albeit frustrating bugs, including issues with Bluetooth, 5G and Wi-Fi connectivity on some models, and problems with app icon displays and device cameras.
