CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionNVD
The issue was addressed with improved checks. This issue is fixed in Safari 18.1.1, iOS 17.7.2 and iPadOS 17.7.2, iOS 18.1.1 and iPadOS 18.1.1, macOS Sequoia 15.1.1, visionOS 2.1.1. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited on Intel-based Mac systems.
AnalysisAI
Arbitrary code execution in Apple Safari, iOS/iPadOS, macOS Sequoia, and visionOS occurs when processing maliciously crafted web content, with Apple confirming active exploitation on Intel-based Mac systems. The flaw is confirmed actively exploited (CISA KEV) and carries a CVSS 8.8 score requiring only user interaction (visiting a malicious page) to achieve remote code execution. EPSS at 1.55% (81st percentile) is moderate but the KEV listing signals real-world targeted abuse against Apple's WebKit-based browsing stack.
Technical ContextAI
The vulnerability resides in Apple's WebKit/JavaScriptCore engine that powers Safari and all web content rendering across iOS, iPadOS, macOS, and visionOS. Apple's fix language ('addressed with improved checks') and the Intel-Mac-specific exploitation hint at a validation/type-confusion class issue in the JIT or web content pipeline, though no CWE is assigned in NVD. Affected CPE entries cover Apple Safari, iPadOS, iPhone OS, macOS, and visionOS; a Debian CPE is also listed because WebKitGTK packages downstream from upstream WebKit are similarly impacted on Debian 11. The bug is triggered purely through web content, meaning any vulnerable browsing surface (Safari tab, in-app WebView, embedded WebKit component) is a candidate vector.
RemediationAI
Vendor-released patches are available: upgrade to Safari 18.1.1, iOS/iPadOS 17.7.2 (for devices on the 17 train) or 18.1.1, macOS Sequoia 15.1.1, and visionOS 2.1.1 via Apple's standard Software Update mechanism, prioritizing Intel-based Macs given confirmed exploitation on that platform. Debian 11 administrators should apply WebKitGTK package updates from Debian Security as they are published. Where immediate patching is not possible, compensating controls include disabling JavaScript in Safari (Settings → Safari → Advanced) which neutralizes most WebKit exploitation paths at the cost of breaking nearly all modern sites, routing browsing through an enterprise web filter that blocks unknown/uncategorized domains to reduce drive-by exposure, and instructing users to avoid Safari/WebKit-embedded browsers in favor of a patched alternative engine temporarily - noting that in-app WebViews on iOS still use WebKit and cannot be swapped.
More from same product – last 7 days
Arbitrary command execution in IINA media player for macOS versions prior to 1.4.3 allows remote attackers to run shell
SQL injection in Pimcore's CustomReportsBundle (versions ≤ 12.3.5) lets an authenticated user holding the reports_config
Arbitrary code execution in Docker Model Runner's vllm-metal inference backend on macOS allows any container on the Dock
Arbitrary code execution in Docker Desktop's Model Runner on macOS allows any container on the Docker network to escape
Local privilege escalation in Apple macOS allows a malicious app already running with low privileges to elevate to root
Share
External POC / Exploit Code
Leaving vuln.today