Summary
Apple fixed CVE-2025-43377 in macOS Sequoia 15.7.2 and directly credited
BynarIO AI (bynar.io). Apple’s advisory describes an out-of-bounds read in
Model I/O that could let an app cause a denial of service, addressed with
improved bounds checking.
Bynario’s launch post says the issue was found during autonomous binary
analysis of Apple’s USD library. The post describes an out-of-bounds read
rooted in a missing bounds check on glTF-provided indexes, and says the system
validated the condition by generating a trigger.gltf input.
OpenCVE records the Apple CVE as CWE-125 with CVSS 3.1 score 5.5 medium, and lists Apple’s iOS, iPadOS, macOS Sequoia, and macOS Tahoe fix references.
Attribution
This is direct attribution because Apple’s own security content names
BynarIO AI. Bynario’s post adds first-party detail about binary analysis,
closed-source reach, root cause, and trigger generation, but the ledger does not
need to rely on Bynario alone for the AI credit.
The scope should stay modest. The public Apple record describes a denial-of-service out-of-bounds read, not remote code execution or a privilege escalation. Bynario also discusses related null-dereference variants and a broader root cause, but Bugflation counts the public CVE-backed Apple credit rather than treating every related crash path as a separate finding.
Why it matters
This entry gives Bynario an earlier vendor-credit anchor before the 2026 Linux kernel work. It is also a different mode of bugflation evidence: AI-assisted analysis of closed-source compiled software, accepted into Apple’s normal product-security advisory process.
References
- Apple: macOS Sequoia 15.7.2 security content
- Bynario: The idea behind Bynario
- OpenCVE: CVE-2025-43377
- Lorenzo Cavallaro: BynarIO disclosure post
Catalogued in the Bugflation public ledger. Disagree with the attribution or severity label? Email the desk.