Cyber Resilience

CVE-2025-46290

High

Published: 11 February 2026

Published
11 February 2026
Modified
02 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0011 28.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-46290 is a high-severity Protection Mechanism Failure (CWE-693) vulnerability in Apple Macos. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 28.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-46290 is a logic issue addressed through improved checks in multiple Apple operating systems and platforms. The vulnerability affects iOS and iPadOS prior to versions 18.7.3 and 26.2, macOS Sequoia prior to 15.7.4, macOS Sonoma prior to 14.8.4, macOS Tahoe prior to 26.2, visionOS prior to 26.2, and watchOS prior to 26.2. It is associated with CWE-693 (Protection Mechanism Failure) and CWE-703 (Improper Check or Handling of Exceptional Conditions), earning a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity primarily due to availability impact.

A remote attacker can exploit this vulnerability over the network with low complexity, requiring no privileges or user interaction. Successful exploitation leads to a denial-of-service condition, disrupting service availability on the targeted device without compromising confidentiality or integrity.

Apple security advisories detail mitigations through patches in the specified versions, as outlined in support documents such as https://support.apple.com/en-us/125884, https://support.apple.com/en-us/125885, https://support.apple.com/en-us/125886, https://support.apple.com/en-us/125890, and https://support.apple.com/en-us/125891. Security practitioners should prioritize updating affected devices to these versions to prevent exploitation.

EU & UK References

Vulnerability details

A logic issue was addressed with improved checks. This issue is fixed in iOS 18.7.3 and iPadOS 18.7.3, iOS 26.2 and iPadOS 26.2, macOS Sequoia 15.7.4, macOS Sonoma 14.8.4, macOS Tahoe 26.2, visionOS 26.2, watchOS 26.2. A remote attacker may…

more

be able to cause a denial-of-service.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Vulnerability enables remote network exploitation of an Apple OS flaw (protection mechanism failure) to crash/deny availability on the endpoint device, directly matching application/system exploitation for DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-24265Same product: Apple Macos
CVE-2026-28842Same product: Apple Macos
CVE-2025-30444Same product: Apple Macos
CVE-2025-24139Same product: Apple Macos
CVE-2026-20639Same product: Apple Macos
CVE-2026-28848Same product: Apple Macos
CVE-2025-43244Same product: Apple Macos
CVE-2025-24120Same product: Apple Macos
CVE-2026-20701Same product: Apple Macos
CVE-2025-24269Same product: Apple Macos

Affected Assets

apple
macos
≤ 14.8.4 · 15.0 — 15.7.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely flaw remediation through applying vendor patches directly prevents exploitation of this logic issue causing remote denial-of-service.

prevent

Denial-of-service protections at system entry points block or mitigate remote network attacks exploiting this vulnerability's availability impact.

prevent

Information input validation enforces improved checks on network inputs to address the logic flaw and prevent denial-of-service conditions.

References