About the security content of iPadOS 17.7.4

This document describes the security content of iPadOS 17.7.4.

About Apple security updates

For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security releases page.

Apple security documents reference vulnerabilities by CVE-ID when possible.

For more information about security, see the Apple Product Security page.

iPadOS 17.7.4

AirPlay

Available for: iPad Pro 12.9-inch 2nd generation, iPad Pro 10.5-inch, and iPad 6th generation

Impact: A remote attacker may cause an unexpected application termination or arbitrary code execution

Description: A type confusion issue was addressed with improved checks.

CVE-2025-24137: Uri Katz (Oligo Security)

ARKit

Available for: iPad Pro 12.9-inch 2nd generation, iPad Pro 10.5-inch, and iPad 6th generation

Impact: Parsing a file may lead to an unexpected app termination

Description: The issue was addressed with improved checks.

CVE-2025-24127: Minghao Lin (@Y1nKoc), babywu, and Xingwei Lin of Zhejiang University

CoreAudio

Available for: iPad Pro 12.9-inch 2nd generation, iPad Pro 10.5-inch, and iPad 6th generation

Impact: Parsing a file may lead to an unexpected app termination

Description: The issue was addressed with improved checks.

CVE-2025-24161: Google Threat Analysis Group

CVE-2025-24160: Google Threat Analysis Group

CVE-2025-24163: Google Threat Analysis Group

CoreMedia

Available for: iPad Pro 12.9-inch 2nd generation, iPad Pro 10.5-inch, and iPad 6th generation

Impact: Parsing a file may lead to an unexpected app termination

Description: The issue was addressed with improved checks.

CVE-2025-24123: Desmond working with Trend Micro Zero Day Initiative

CVE-2025-24124: Pwn2car & Rotiple(HyeongSeok Jang) working with Trend Micro Zero Day Initiative

CoreRoutine

Available for: iPad Pro 12.9-inch 2nd generation, iPad Pro 10.5-inch, and iPad 6th generation

Impact: An app may be able to determine a user’s current location

Description: The issue was addressed with improved checks.

CVE-2025-24102: Kirin (@Pwnrin)

ICU

Available for: iPad Pro 12.9-inch 2nd generation, iPad Pro 10.5-inch, and iPad 6th generation

Impact: Processing maliciously crafted web content may lead to an unexpected process crash

Description: An out-of-bounds access issue was addressed with improved bounds checking.

CVE-2024-54478: Gary Kwong

ImageIO

Available for: iPad Pro 12.9-inch 2nd generation, iPad Pro 10.5-inch, and iPad 6th generation

Impact: Processing an image may lead to a denial-of-service

Description: The issue was addressed with improved memory handling.

CVE-2025-24086: DongJun Kim (@smlijun) and JongSeong Kim (@nevul37) in Enki WhiteHat, D4m0n

Kernel

Available for: iPad Pro 12.9-inch 2nd generation, iPad Pro 10.5-inch, and iPad 6th generation

Impact: An app may be able to cause unexpected system termination or write kernel memory

Description: The issue was addressed with improved memory handling.

CVE-2025-24118: Joseph Ravichandran (@0xjprx) of MIT CSAIL

Kernel

Available for: iPad Pro 12.9-inch 2nd generation, iPad Pro 10.5-inch, and iPad 6th generation

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A validation issue was addressed with improved logic.

CVE-2025-24159: pattern-f (@pattern_F_)

LaunchServices

Available for: iPad Pro 12.9-inch 2nd generation, iPad Pro 10.5-inch, and iPad 6th generation

Impact: An app may be able to fingerprint the user

Description: This issue was addressed with improved redaction of sensitive information.

CVE-2025-24117: Michael (Biscuit) Thomas (@biscuit@social.lol)

Managed Configuration

Available for: iPad Pro 12.9-inch 2nd generation, iPad Pro 10.5-inch, and iPad 6th generation

Impact: Restoring a maliciously crafted backup file may lead to modification of protected system files

Description: This issue was addressed with improved handling of symlinks.

CVE-2025-24104: Hichem Maloufi, Hakim Boukhadra

QuartzCore

Available for: iPad Pro 12.9-inch 2nd generation, iPad Pro 10.5-inch, and iPad 6th generation

Impact: Processing web content may lead to a denial-of-service

Description: The issue was addressed with improved checks.

CVE-2024-54497: Anonymous working with Trend Micro Zero Day Initiative

SceneKit

Available for: iPad Pro 12.9-inch 2nd generation, iPad Pro 10.5-inch, and iPad 6th generation

Impact: Parsing a file may lead to disclosure of user information

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2025-24149: Michael DePlante (@izobashi) of Trend Micro Zero Day Initiative

Additional recognition

CoreAudio

We would like to acknowledge Google Threat Analysis Group for their assistance.

CoreMedia Playback

We would like to acknowledge Song Hyun Bae (@bshyuunn) and Lee Dong Ha (Who4mI) for their assistance.

Static Linker

We would like to acknowledge Holger Fuhrmannek for their assistance.