Login Sign Up

CVE-2025-43376

7.5 HIGH

📋 TL;DR

This vulnerability allows remote attackers to view leaked DNS queries when Apple's Private Relay feature is enabled. It affects users of Safari, iOS, iPadOS, tvOS, watchOS, and visionOS with Private Relay turned on. The issue involves a logic flaw in state management that exposes DNS query information.

💻 Affected Systems

Products:
  • Safari
  • iOS
  • iPadOS
  • tvOS
  • watchOS
  • visionOS
Versions: Versions prior to 26
Operating Systems: iOS, iPadOS, tvOS, watchOS, visionOS, macOS
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when Private Relay feature is enabled. Private Relay is an opt-in privacy feature.

📦 What is this software?

Ipados by Apple

View all CVEs affecting Ipados →

Iphone Os by Apple

View all CVEs affecting Iphone Os →

Safari by Apple

View all CVEs affecting Safari →

Visionos by Apple

View all CVEs affecting Visionos →

Watchos by Apple

View all CVEs affecting Watchos →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could monitor DNS queries to infer browsing history, visited websites, and potentially identify sensitive services or applications being accessed by the user.

🟠

Likely Case

Attackers could gather information about user browsing patterns and potentially identify frequently visited websites or services.

🟢

If Mitigated

With Private Relay disabled or systems patched, DNS queries remain protected and no information leakage occurs.

🌐 Internet-Facing: HIGH
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Remote exploitation requires the attacker to be in a position to monitor network traffic. No authentication required as it's a network-level information disclosure.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Safari 26, tvOS 26, watchOS 26, iOS 26, iPadOS 26, visionOS 26

Vendor Advisory: https://support.apple.com/en-us/125108

Restart Required: Yes

Instructions:

1. Update affected devices to the latest version (26 or later). 2. For iOS/iPadOS: Settings > General > Software Update. 3. For macOS: System Settings > General > Software Update. 4. For tvOS/watchOS/visionOS: Use respective update mechanisms in settings.

🔧 Temporary Workarounds

Disable Private Relay

all

Temporarily disable Private Relay feature to prevent DNS query leakage

🧯 If You Can't Patch

  • Disable Private Relay feature on all affected devices
  • Use alternative DNS privacy solutions like DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT) through third-party applications

🔍 How to Verify

Check if Vulnerable:

Check if device is running a version prior to 26 and has Private Relay enabled in settings

Check Version:

iOS/iPadOS: Settings > General > About > Version. macOS: Apple menu > About This Mac > macOS version. Safari: Safari menu > About Safari

Verify Fix Applied:

Verify device is running version 26 or later and Private Relay is functioning normally

📡 Detection & Monitoring

Log Indicators:

  • Unusual DNS query patterns
  • DNS query failures when Private Relay is enabled

Network Indicators:

  • DNS queries appearing in cleartext when Private Relay should be encrypting them
  • Unexpected DNS traffic patterns

SIEM Query:

dns.query AND (device.os.version < 26) AND (feature.private_relay = true)

📊 Metadata

CVE ID: CVE-2025-43376
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score: 0.04% exploit probability (12th percentile)
Published: November 4, 2025
Last Updated: December 10, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON