Summary

CVE: CVE-2025-43254
Component: libmacho.dylib
Vulnerability Type: Out-of-bounds memory access
Vendor: Apple
Severity: Medium
Product: macOS
Affected Versions: Sonoma, Sequoia, Ventura
Fix Status: Fixed by vendor (Apple Security Update)
Credit: 2ourc3

Description

A security vulnerability has been identified in macOS’s libmacho.dylib. The bug allows an attacker to trigger an out-of-bounds memory access using a specially crafted Mach-O fat binary, potentially leading to information disclosure or remote code execution (depending on memory layout and exploitation constraints).

The issue lives in the swap_fat_arch function, which is responsible for byte-swapping architecture-specific entries in Mach-O fat binaries. This code path is reachable from common tooling such as the macOS file utility (which relies on Mach-O parsing to identify file types), making the bug reachable through typical file inspection workflows.

The function fails to properly validate the architecture count provided in the fat header before iterating / processing. By supplying an extremely large architecture count (e.g. 0x80000003, i.e., > 2 billion), the code will walk far past the input buffer and eventually dereference invalid memory, resulting in a crash (and potentially more, depending on context).

Root cause

swap_fat_arch receives:

  • a pointer to the fat header (x0)
  • the number of architectures (x1)

…but does not ensure that:

  1. the architecture count is reasonable
  2. the subsequent memory reads stay within the bounds of the provided buffer

This can be triggered at different points inside the function depending on the exact layout:

  • Offset +12: ldur q0, [x9, #-0x10] — while attempting to load the fat header
  • Offset +24: ldr w10, [x9] — while attempting to load an architecture entry

Impact

A crafted Mach-O fat binary can cause an out-of-bounds access in libmacho.dylib. In the most conservative case this yields a segmentation fault (denial of service). In more favorable conditions, out-of-bounds accesses in parsing code can sometimes be escalated to information disclosure or code execution, depending on how the data is used and what primitives can be built from the bug.