Public disclosure of two linked vulnerabilities in Apple's iOS 18.x:
CVE-2025-31200 — Heap corruption in CoreAudio’s AudioConverterService, triggered by a malicious audio file delivered via iMessage. Zero-click, no user interaction required.
CVE-2025-31201 — Pointer Authentication (PAC) bypass in the RPAC path, enabling reliable kernel exploitation once arbitrary R/W is achieved.
Disclosure & Patch Timeline
Initial Report Date: January 21, 2025
Reported To: Apple & US-CERT (Tracking ID: VRF#25-01-MPVDT)
Patched By Apple: Silently resolved in iOS 18.4.1, released April 16, 2025
CVE Assignment: Identifiers CVE-2025-31200 and CVE-2025-31201 were assigned publicly due to lack of MITRE response
Due to the severity, prolonged silence from relevant stakeholders, and absence of acknowledgment post-patch, this repository is published to inform the security community and support defensive mitigation.
Affected Systems
iOS Versions: Zero-day until patched in iOS 18.4.1 (April 16, 2025)
Primary Vulnerable Component:AudioConverterService (CoreAudio) via iMessage / SMS delivery
Post-Exploitation Impact: Wireless subsystem manipulation and CryptoTokenKit abuse (no CVE assigned)
🛡️ Disclaimer
This report is released in the interest of public safety, transparency, and to support defenders and researchers. All information is based on independent research. No offensive code is included. The author remains open to coordination with trusted parties for validation and response.