CVE-2025-24132

Name of the Vulnerable Software and Affected Versions Apple AirPlay audio SDK versions 2.7.1 and earlier Apple AirPlay video SDK versions 3.6.0.126 and earlier Apple CarPlay Communication Plug-in versions R18.1 and earlier

Description This issue involves improved memory handling and can lead to an unexpected application termination if exploited by an attacker on the local network. The vulnerability is a stack buffer overflow within the AirPlay protocol, specifically in the iAP2 protocol used by CarPlay. Exploitation may allow an attacker to gain remote code execution (RCE) on the target device. The vulnerability is present when a device connects to the car’s multimedia system. The

SET PARAMETER

function is vulnerable due to insufficient input validation, allowing an attacker to send a specially crafted packet with an oversized field, exceeding the allocated buffer size. While a patch has been released by Apple, many car manufacturers have not yet applied the fix to their infotainment systems. The vulnerability is exploitable over Bluetooth or Wi-Fi.

Recommendations Apple AirPlay audio SDK versions 2.7.0 and earlier: Update to version 2.7.1 or later. Apple AirPlay video SDK versions 3.6.0.125 and earlier: Update to version 3.6.0.126 or later. Apple CarPlay Communication Plug-in versions R18.0 and earlier: Update to version R18.1 or later.