CVE-2025-24132

Name of the Vulnerable Software and Affected Versions AirPlay audio SDK versions 2.7.1 and later AirPlay video SDK versions 3.6.0.126 and later CarPlay Communication Plug-in version R18.1 and later

Description This issue involves improved memory handling to address a flaw that could allow a local network attacker to cause an unexpected application termination. The vulnerability, identified as a stack buffer overflow within the AirPlay protocol, is exposed when a device connects to a car’s multimedia system. Exploitation may allow an attacker to gain remote code execution (RCE) on the target device. The iAP2 protocol, used for connection management and data exchange, lacks proper input validation, enabling the sending of oversized data packets that can overwrite memory buffers. While a patch has been released by Apple, many car manufacturers have not yet applied the update to their infotainment systems, leaving vehicles vulnerable. The vulnerability is exploitable over Bluetooth and Wi-Fi. The SET PARAMETER function is involved in the vulnerability.

Recommendations AirPlay audio SDK versions prior to 2.7.1 are vulnerable. AirPlay video SDK versions prior to 3.6.0.126 are vulnerable. CarPlay Communication Plug-in versions prior to R18.1 are vulnerable.