macOS CoreAudio Zero-Day Exploited in the Wild: A Deep Dive
In April 2025, Apple patched a CoreAudio bug actively exploited in the wild: CVE-2025-31200, a memory corruption vulnerability. A security researcher meticulously analyzed the bug by comparing old and new binary versions, pinpointing the culprit: apac::hoa::CodecConfig::Deserialize. The vulnerability stemmed from flawed array size handling during audio data parsing. Attackers could exploit this for out-of-bounds read/write, leading to a crash. Through reverse engineering and dynamic analysis, the researcher replicated the vulnerability, revealing its exploitation. It leverages the Apple Positional Audio Codec (APAC), using a crafted audio file to manipulate array sizes and achieve out-of-bounds memory access. While resulting in a crash, this vulnerability’s potential for more sophisticated attacks is significant.