CVE-2025-31278

HIGH
2025-07-30 [email protected]
8.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch Released
Apr 05, 2026 - 20:30 nvd
Patch available
Analysis Generated
Apr 02, 2026 - 19:37 vuln.today
CVE Published
Jul 30, 2025 - 00:15 nvd
HIGH 8.8

Tags

Apple Safari iOS macOS Memory Corruption Ipados Iphone Os Tvos Visionos Watchos Redhat Suse

Description

The issue was addressed with improved memory handling. This issue is fixed in Safari 18.6, iOS 18.6 and iPadOS 18.6, iPadOS 17.7.9, macOS Sequoia 15.6, tvOS 18.6, visionOS 2.6, watchOS 11.6. Processing maliciously crafted web content may lead to memory corruption.

Analysis

Memory corruption in Apple's WebKit browser engine across Safari 18.x, iOS/iPadOS 18.x, macOS Sequoia 15.x, and other Apple operating systems allows remote attackers to achieve arbitrary code execution via maliciously crafted web content requiring only user interaction (visiting a malicious webpage). With CVSS 8.8 (High), the vulnerability enables complete system compromise (high confidentiality, integrity, and availability impact) but carries relatively low real-world exploitation probability (EPSS 0.10%, 27th percentile). No public exploit identified at time of analysis, and vendor-released patches are available across all affected platforms as of July-August 2025.

Technical Context

This vulnerability affects WebKit, Apple's open-source browser engine that powers Safari and in-app web views across the entire Apple ecosystem. The CWE-119 classification indicates an improper restriction on operations within memory buffer bounds, commonly manifesting as buffer overflows or out-of-bounds writes. WebKit's complex memory management for rendering HTML, CSS, and JavaScript makes it a frequent target for memory safety issues. The CPE strings confirm impact spans Safari browser (desktop), iOS/iPadOS mobile devices, macOS desktop systems, tvOS (Apple TV), visionOS (Vision Pro headset), and watchOS (Apple Watch), indicating the vulnerability exists in shared WebKit components used universally across Apple's product line. The 'improved memory handling' fix description suggests the vendor addressed unsafe memory operations in content parsing or rendering code paths, likely involving heap or stack buffer management during processing of attacker-controlled web resources.

Affected Products

The vulnerability impacts Apple Safari browser versions prior to 18.6, iOS and iPadOS versions prior to 18.6 (with legacy branch iPadOS prior to 17.7.9 also affected), macOS Sequoia versions prior to 15.6, tvOS versions prior to 18.6, visionOS versions prior to 2.6, and watchOS versions prior to 11.6. The consistent version numbering across platforms reflects Apple's coordinated security update release in July-August 2025. Debian Linux distributions incorporating WebKit-based components are also affected per debian-lts-announce mailing list notifications. The CPE data confirms the vulnerability exists in Apple's proprietary operating systems and their embedded WebKit engine used for both standalone Safari browsing and in-app web view rendering across the entire Apple device ecosystem. Organizations using Apple devices in any capacity, particularly those allowing web browsing or app-based web content access, should consider all pre-patch versions vulnerable. Detailed platform-specific advisories are available at support.apple.com references 124147 through 124155.

Remediation

Apply vendor-released patches immediately: upgrade Safari to version 18.6 or later, iOS and iPadOS to version 18.6 or later (legacy iPadOS users should upgrade to 17.7.9), macOS Sequoia to version 15.6 or later, tvOS to 18.6 or later, visionOS to 2.6 or later, and watchOS to 11.6 or later. Patches are available through standard Apple Software Update mechanisms on all platforms, with detailed installation instructions in Apple's security advisories at https://support.apple.com/en-us/124147 through 124155. Organizations managing Apple device fleets should prioritize MDM-based patch deployment to user-facing systems and mobile devices. Debian-based Linux systems using WebKit should follow guidance at https://lists.debian.org/debian-lts-announce/2025/08/msg00015.html for appropriate package updates. No effective workarounds exist beyond disabling web browsing entirely, which is impractical for most use cases. Given the network attack vector and potential for drive-by exploitation, patching should take precedence over mitigation controls. For environments unable to immediately patch, consider restricting web access to known-trusted domains via content filtering and deploying browser isolation technologies to contain potential exploitation until updates can be applied.

Priority Score

44
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +44
POC: 0

Vendor Status

Share

CVE-2025-31278 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy