Apple Patches 18 Vulnerabilities in visionOS 26 Allowing Access to Sensitive User Data

Apple has released visionOS 26, addressing eighteen security flaws that could allow unauthorized access to sensitive user data. 

The update, issued on September 15, 2025, covers a wide range of components in the Apple Vision Pro platform.

Apple’s policy is to confirm security issues only after patches are available, and visionOS 26 follows this practice. The full list of recent updates can be found on the Apple security releases page.

Overview of the Vulnerability

One of the most serious fixes involves the AppleMobileFileIntegrity component. A permissions issue could have allowed apps to read or modify protected files.

With visionOS 26, Apple has added stricter access controls and expanded sandbox boundaries. Two Bluetooth flaws, CVE-2025-43354 and CVE-2025-43303, also deal with logging and data exposure.

In both cases, improved data redaction ensures apps cannot capture or leak user data through Bluetooth activity.

The Spell Check module, covered under CVE-2025-43190, suffered from a directory path parsing error.

A crafted app might have used this glitch to view files outside its permitted area. Apple has strengthened path validation to close this gap.

Multiple issues in media and audio processing could have led to apps or the system crashing unexpectedly.

The Audio subsystem suffered an out-of-bounds access bug (CVE-2025-43346) and the CoreAudio video processor contained an out-of-bounds write flaw (CVE-2025-43349).

Improved bounds checking and input validation now stop malformed media files from corrupting memory or terminating apps.

CoreMedia, under CVE-2025-43372, also handled media files insecurely. Apple applied better input checks.

The SQLite engine, addressed under CVE-2025-6965, is part of open source code used across Apple software. VisionOS 26 includes an upstream fix to prevent memory corruption when reading database files.

An out-of-bounds write in the IOHIDFamily module (CVE-2025-43302) could let an app crash the system. Improved memory checks now prevent invalid writes.

The MobileStorageMounter type confusion bug (CVE-2025-43355) has been fixed with safer memory handling to avoid denial-of-service attacks.

WebKit remains a common target for security researchers. Six WebKit bugs in visionOS 26 allow malicious sites to access sensor data without permission or crash Safari and related processes.

Bugs CVE-2025-43356, CVE-2025-43272, CVE-2025-43343, and CVE-2025-43342 all involve crafted web content.

Apple improved cache handling, memory management, and correctness checks to resolve these issues.

The kernel update, CVE-2025-43359, fixes a logic error that could expose a UDP server socket to all network interfaces.

Better state management now ensures sockets bind only to intended interfaces. In the DiskArbitration framework (CVE-2025-43316), Apple added permission checks to prevent apps from escalating privileges to root.

Finally, the System component under CVE-2025-43347 had a vulnerable code path that could accept invalid input. This code was removed entirely to eliminate the risk.

Apple continues to reference CVE IDs for all security issues wherever possible, crediting researchers including Mickey Jin, Hossein Lotfi, Csaba Fitzl, and many others. 

Users and organizations should install visionOS 26 immediately to protect Vision Pro devices from these potential attacks.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.