CVE-2025-24132

Name of the Vulnerable Software and Affected Versions AirPlay audio SDK versions prior to 2.7.1 AirPlay video SDK versions prior to 3.6.0.126 CarPlay Communication Plug-in versions prior to R18.1

Description The issue involves improved memory handling and a stack buffer overflow within the iAP2 protocol used by Apple CarPlay. An attacker on the local network may be able to cause an unexpected app termination or potentially gain remote code execution. The vulnerability exists in the AirPlay protocol and affects devices that utilize the AirPlay SDK. Exploitation can occur remotely and without user interaction. The vulnerability, identified as CVE-2025-24132, allows an attacker to execute code on the vehicle’s head unit. The iAP2 protocol lacks proper length validation for incoming data, such as the device name, allowing an attacker to send a specially crafted packet exceeding the allocated buffer size. While Apple released patches in March 2025, many car manufacturers have not yet deployed the updates to their infotainment systems, leaving vehicles vulnerable.

Recommendations AirPlay audio SDK versions prior to 2.7.1: Update to version 2.7.1 or later. AirPlay video SDK versions prior to 3.6.0.126: Update to version 3.6.0.126 or later. CarPlay Communication Plug-in versions prior to R18.1: Update to version R18.1 or later.