CVE-2025-43376 is a logic flaw in Apple's implementation of Private Relay on iOS, iPadOS, and other related platforms that leads to leakage of DNS queries. Private Relay is designed to enhance user privacy by encrypting DNS queries and routing them through Apple’s relay servers to prevent exposure to third parties. However, due to improper state management in the affected versions, a remote attacker can intercept or view DNS queries that should have been protected. This vulnerability affects multiple Apple operating systems including Safari 26, tvOS 26, watchOS 26, iOS 26, iPadOS 26, and visionOS 26, with the issue fixed starting from these versions. The CVSS score of 7.5 reflects a high severity, given that the attack vector is network-based (AV:N), requires no privileges (PR:N), no user interaction (UI:N), and impacts confidentiality (C:H) without affecting integrity or availability. The flaw does not require authentication and can be exploited remotely, increasing the risk profile. Although no active exploitation has been reported, the potential for privacy invasion is significant, as DNS queries can reveal sensitive user behavior and browsing patterns. The vulnerability underscores the importance of robust state management in privacy-preserving technologies and the risks posed when such mechanisms fail. Organizations relying on Apple devices with Private Relay enabled should apply the patches provided in the latest OS updates to mitigate this risk.

For European organizations, the leakage of DNS queries can lead to significant privacy and security risks. DNS queries often reveal the websites and services accessed by users, which can be leveraged for profiling, surveillance, or targeted attacks. In sectors such as finance, healthcare, and government, exposure of such data could lead to regulatory non-compliance under GDPR and other privacy laws, resulting in legal and financial penalties. The confidentiality breach could also facilitate further attacks by revealing internal or sensitive domains. Since the vulnerability requires no authentication and can be exploited remotely, it increases the attack surface for threat actors targeting European enterprises. The impact is amplified in environments where Apple devices are widely used and Private Relay is enabled to protect user privacy. Additionally, the reputational damage from a privacy breach could be severe, especially for organizations committed to data protection. The absence of integrity or availability impact limits the scope to confidentiality, but the sensitivity of DNS data makes this a critical concern. Overall, the vulnerability poses a direct threat to privacy and compliance for European organizations using affected Apple products.

European organizations should immediately verify the versions of Apple operating systems deployed across their endpoints and ensure all devices are updated to Safari 26, tvOS 26, watchOS 26, iOS 26, iPadOS 26, or visionOS 26 or later where the vulnerability is fixed. Disable Private Relay temporarily if patching cannot be performed promptly, to prevent DNS query leakage. Implement network monitoring to detect unusual DNS traffic patterns or potential interception attempts. Employ endpoint management solutions to enforce update policies and verify compliance. Educate users about the importance of installing OS updates and the risks of using outdated software. Consider deploying additional DNS encryption mechanisms such as DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT) as a layered defense. Review and update privacy policies and incident response plans to address potential data leakage scenarios. Collaborate with Apple support for guidance on best practices and remediation steps. Finally, conduct regular security assessments to ensure no residual exposure remains post-patching.