๐Ÿ›๏ธ Architecture

Apple macOS CoreMedia Out-of-Bounds Write RCE Disclosed โ€” Remote Exploitation via Malicious Media Files

Zero Day Initiative researchers have disclosed ZDI-26-230, an out-of-bounds write vulnerability in the Apple macOS CoreMedia framework that could allow remote code execution when a user processes a specially crafted media file. A companion vulnerability ZDI-26-231 discloses a separate macOS information disclosure flaw. Both were disclosed on 30 March 2026 following Apple's 120-day coordinated disclosure window.

4 min read
#macos#apple#coremedia#rce#zdi#out-of-bounds-write#media-processing

The Vulnerability

The Zero Day Initiative (ZDI) disclosed two vulnerabilities in Apple macOS on 30 March 2026, following the expiry of their coordinated disclosure deadline. The more significant of the pair is ZDI-26-230, an out-of-bounds write vulnerability in the CoreMedia framework โ€” Appleโ€™s core media processing subsystem responsible for handling audio, video, and image data across macOS and iOS.

The flaw exists in the way CoreMedia processes certain media container formats. A specially crafted media file โ€” an audio file, video clip, or image with a malformed container header โ€” can trigger the out-of-bounds write when processed by CoreMedia. In the context of macOS, the CoreMedia framework is invoked by a wide range of applications: Safari (when playing embedded media), Preview, QuickTime, Mail (for media attachments), and any third-party application that uses the system media stack.

Out-of-bounds write vulnerabilities in media parsing frameworks are a well-established code execution pathway. The attackerโ€™s ability to control what is written out-of-bounds can translate to control-flow hijacking, enabling arbitrary code execution in the context of the application processing the file. Depending on the application, this could be in the context of a sandboxed browser process or a less-restricted application with broader system access.

The companion disclosure ZDI-26-231 covers a separate information disclosure vulnerability in macOS that exposes sensitive data. Precise details have not been made fully public.

The Disclosure Timeline

ZDI operates a 120-day coordinated disclosure window. Their disclosure on 30 March suggests the vulnerability was reported to Apple approximately in late November 2025. It was not patched in any of the Apple security updates released between that date and March 2026 โ€” which means the disclosure was made without a corresponding Apple patch, following ZDIโ€™s policy of public disclosure after the deadline regardless of vendor patch status.

Apple has not yet released a specific security update addressing ZDI-26-230. The most recent Apple security content update prior to this disclosure was the background security improvements released on 17 March 2026 (covering the WebKit cross-origin issue CVE-2026-20643). An update addressing the CoreMedia flaw is expected in an upcoming point release.

Why CoreMedia Vulnerabilities Are High-Priority

Media file processing is one of the most reliably effective attack surfaces for remote code execution on macOS. Unlike web-based attacks that require browser exploitation or phishing-based attacks that require user execution, a media file vulnerability can be triggered by previewing a file in Finder (Quick Look), opening an attachment in Mail, or visiting a website that triggers media loading.

This attack surface has been exploited historically in high-value targeted attacks. The 2021 ForcedEntry iMessage exploit (used to deploy Pegasus spyware) leveraged an analogous heap overflow in Appleโ€™s image processing pipeline. CoreMedia RCE vulnerabilities follow a similar pattern โ€” low user interaction, broad application surface, and significant privilege potential.

For organisations with macOS in their environment โ€” particularly executive and senior leadership devices that are common targets in espionage operations โ€” a disclosed but unpatched CoreMedia RCE is a threat that warrants proactive measures.

  1. Monitor Appleโ€™s security release page for a patch addressing ZDI-26-230. Update macOS as soon as the patch is released. For managed fleets, pre-stage the update so deployment can happen immediately upon availability.

  2. Consider blocking or quarantining untrusted media file attachments in email security gateways as a temporary measure until patching is available. Specifically targeting .mov, .mp4, and unusual audio/video container formats from unknown senders.

  3. Enable automatic software updates on macOS devices. Appleโ€™s background security update mechanism (introduced in macOS 26.3) allows certain security patches to be delivered without a full OS update cycle โ€” ensure this feature is active on all managed systems.

  4. Restrict Quick Look previews for downloaded files. Quick Look invokes CoreMedia for media preview. While it is not practical to disable Quick Look entirely, user awareness about previewing unsolicited media files reduces exposure.

  5. Prioritise patch deployment to executive and high-value macOS users. In practice, the audience most targeted by media-delivery exploits (spearphishing with weaponised attachments) is senior leadership and board members. Ensure these devices receive updates with the shortest possible dwell time.