CVE-2025-31256 is a vulnerability identified in Apple macOS related to the 'hot corner' feature, which is a user interface shortcut that triggers specific actions when the mouse pointer is moved to a screen corner. The vulnerability arises from improper handling of cached data associated with deleted notes. Specifically, when a user deletes notes, remnants of their content may remain cached and can be unexpectedly revealed when the hot corner is activated. This behavior constitutes an information disclosure vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The vulnerability requires local access with low privileges (AV:L/PR:L) and does not require user interaction (UI:N), meaning an attacker with access to the system can trigger the hot corner to view deleted notes without further user involvement. The confidentiality impact is high, as sensitive deleted notes may be exposed, but integrity and availability are unaffected. The issue was addressed by Apple through improved cache handling in macOS Sequoia 15.5, which prevents deleted notes from being revealed via the hot corner. There are no known exploits in the wild at the time of publication, and the affected versions are unspecified but presumably all versions prior to 15.5. The vulnerability highlights the risks of residual data in UI features and the importance of secure cache management.

For European organizations, this vulnerability poses a risk of sensitive data leakage through local access vectors. Organizations with employees or contractors using vulnerable macOS versions may inadvertently expose deleted notes containing confidential information, intellectual property, or personal data. This could lead to privacy violations, regulatory non-compliance (e.g., GDPR), and reputational damage. The risk is heightened in environments where macOS devices are shared, or where physical or remote local access is possible (e.g., in co-working spaces, offices with less stringent physical security, or through compromised user accounts). Although the vulnerability does not allow remote exploitation or affect system integrity or availability, the confidentiality breach could be significant in sectors such as finance, legal, healthcare, and government. The absence of known exploits reduces immediate risk but does not eliminate the need for prompt remediation.

1. Upgrade all macOS devices to macOS Sequoia 15.5 or later, where the vulnerability is fixed. 2. Enforce strict physical and logical access controls to prevent unauthorized local access to macOS systems, including use of strong passwords, biometric locks, and screen locking policies. 3. Limit the use of shared or publicly accessible macOS devices to reduce exposure risk. 4. Educate users about the risks of leaving devices unattended and the importance of locking screens when not in use. 5. Implement endpoint detection and response (EDR) solutions to monitor for unusual local activity that could indicate exploitation attempts. 6. Review and audit note-taking and data deletion policies to ensure sensitive information is securely erased and not retained in caches or backups. 7. Consider disabling or restricting the hot corner feature via configuration profiles or MDM solutions if immediate patching is not feasible.