CVE-2025-43506
📋 TL;DR
A logic error in macOS iCloud Private Relay prevents activation when multiple users are logged in simultaneously, potentially exposing network traffic. This affects macOS users with iCloud Private Relay enabled who share devices or have multiple active sessions. The vulnerability allows unintended traffic routing outside the encrypted Private Relay tunnel.
💻 Affected Systems
- macOS
- iCloud Private Relay
📦 What is this software?
Macos by Apple
macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...
Learn more about Macos →⚠️ Risk & Real-World Impact
Worst Case
Unencrypted network traffic interception by malicious actors, exposing sensitive data like browsing history, credentials, or personal information when users believe they are protected by Private Relay.
Likely Case
Accidental exposure of network traffic to local network observers or ISPs when users share devices, potentially revealing non-sensitive browsing patterns.
If Mitigated
Minimal impact if users avoid sharing devices or manually verify Private Relay activation status before sensitive activities.
🎯 Exploit Status
Exploitation requires local access to trigger the logic error by having multiple users logged in, but no authentication bypass is needed beyond that condition.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: macOS Tahoe 26.1
Vendor Advisory: https://support.apple.com/en-us/125634
Restart Required: Yes
Instructions:
1. Open System Settings. 2. Go to General > Software Update. 3. Install macOS Tahoe 26.1 update. 4. Restart the system when prompted.
🔧 Temporary Workarounds
Disable iCloud Private Relay
allTemporarily turn off Private Relay to prevent the logic error from affecting traffic encryption.
Open System Settings > [Your Name] > iCloud > Private Relay > toggle off
Single User Session Enforcement
allEnsure only one user is logged in at a time to avoid triggering the vulnerability.
Log out all other users before using Private Relay
🧯 If You Can't Patch
- Avoid using shared macOS devices for sensitive activities when iCloud Private Relay is needed.
- Manually verify Private Relay is active (check network settings or use a site like whatismyipaddress.com) before transmitting sensitive data.
🔍 How to Verify
Check if Vulnerable:
Check macOS version: if before Tahoe 26.1 and iCloud Private Relay is enabled with multiple users logged in, the system is vulnerable.Check Version:
sw_versVerify Fix Applied:
Confirm macOS version is Tahoe 26.1 or later via System Settings > General > About, and test Private Relay activation with multiple users logged in.📡 Detection & Monitoring
Log Indicators:
- System logs showing Private Relay activation failures when multiple users are active
- Network logs showing unencrypted traffic from devices with Private Relay enabled
Network Indicators:
- Unencrypted HTTP traffic originating from devices configured for Private Relay
- DNS queries not routed through Apple's Private Relay servers
SIEM Query:
source="macOS" AND (event="Private Relay failure" OR "multiple user sessions")