How to fix CVE-2025-24201?

Within 24 hours: Identify all affected systems and apply vendor patches immediately. If patching is delayed, consider network segmentation to limit exposure.

Is Memory Corruption affected by CVE-2025-24201?

Organizations using An out-of-bounds write face critical risk from CVE-2025-24201, a out-of-bounds write vulnerability rated CVSS 10.0. Exploitation could allow attackers to corrupt memory, crash the application, or potentially execute arbitrary code.

CVE-2025-24201

CRITICAL

2025-03-11 [email protected]

10.0

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Added to CISA KEV

Apr 03, 2026 - 11:45 cisa

CISA KEV

Patch Released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 12, 2026 - 19:52 vuln.today

CVE Published

Mar 11, 2025 - 18:15 nvd

CRITICAL 10.0

Description

An out-of-bounds write issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in visionOS 2.3.2, iOS 18.3.2 and iPadOS 18.3.2, macOS Sequoia 15.3.2, Safari 18.3.1, watchOS 11.4, iPadOS 17.7.6, iOS 16.7.11 and iPadOS 16.7.11, iOS 15.8.4 and iPadOS 15.8.4. Maliciously crafted web content may be able to break out of Web Content sandbox. This is a supplementary fix for an attack that was blocked in iOS 17.2. (Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 17.2.).

Analysis

A critical out-of-bounds write in WebKit's rendering engine allows maliciously crafted web content to escape the Web Content sandbox, achieving native code execution on Apple devices. Rated CVSS 10.0 and KEV-listed, CVE-2025-24201 is a supplementary fix for a previously patched vulnerability that was being actively exploited in extremely sophisticated targeted attacks. Affects all Apple platforms: iOS, iPadOS, macOS, Safari, visionOS, and watchOS.

Technical Context

This is a sandbox escape vulnerability in WebKit's rendering pipeline. Unlike typical WebKit memory corruption bugs that execute code within the sandboxed Web Content process, this vulnerability breaks the sandbox boundary, allowing attacker code to run with the privileges of the parent process. Apple described this as a 'supplementary fix' for a previously addressed issue, suggesting the original patch was incomplete. The sandbox escape makes this significantly more dangerous than standard browser RCE vulnerabilities.

Affected Products

['iOS 18.3.2 and earlier', 'iPadOS 18.3.2 and earlier', 'macOS Sequoia 15.3.2 and earlier', 'Safari 18.3.1 and earlier', 'visionOS 2.3.2 and earlier', 'watchOS 11.4 and earlier']

Remediation

Update all Apple devices immediately. iOS/iPadOS 18.3.2+, macOS Sequoia 15.3.2+, Safari 18.3.1+. This is a sandbox escape with confirmed in-the-wild exploitation — treat as emergency priority. Organizations should push MDM updates and verify compliance.

Priority Score

100

Low Medium High Critical

KEV: +50

EPSS: +0.1

CVSS: +50

POC: 0

Vendor Status

CVE-2025-24201 vulnerability details – vuln.today

Back

CVE-2025-24201

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Share

CVE-2025-24201

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Share

External POC / Exploit Code