CVE-2025-43212

MEDIUM
2025-07-30 [email protected]
6.5
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Patch Released
Apr 06, 2026 - 08:30 nvd
Patch available
Analysis Generated
Apr 02, 2026 - 19:37 vuln.today
CVE Published
Jul 30, 2025 - 00:15 nvd
MEDIUM 6.5

Tags

Apple Safari iOS macOS Memory Corruption Denial Of Service Ipados Iphone Os Tvos Visionos Watchos Redhat Suse

Description

The issue was addressed with improved memory handling. This issue is fixed in Safari 18.6, iOS 18.6 and iPadOS 18.6, macOS Sequoia 15.6, tvOS 18.6, visionOS 2.6, watchOS 11.6. Processing maliciously crafted web content may lead to an unexpected Safari crash.

Analysis

Safari and related Apple platforms crash when processing maliciously crafted web content due to a memory handling vulnerability (buffer overflow). Affects Safari 18.5 and earlier, iOS 18.5 and earlier, iPadOS 18.5 and earlier, macOS Sequoia 15.5 and earlier, tvOS 18.5 and earlier, visionOS 2.5 and earlier, and watchOS 11.5 and earlier. An unauthenticated remote attacker can trigger a denial of service by hosting or injecting malicious web content, with user interaction required to visit the affected content. No public exploit code or active exploitation has been confirmed (EPSS 0.08% indicates minimal real-world exploitation activity to date).

Technical Context

The vulnerability is rooted in CWE-119 (improper restriction of operations within the bounds of a memory buffer), a classic buffer overflow class affecting memory-unsafe code. The affected technology spans Apple's WebKit rendering engine used by Safari and embedded browsers across iOS, iPadOS, tvOS, visionOS, and watchOS platforms. The issue involves processing of web content-likely JavaScript, DOM manipulation, or image/media handling-that can cause out-of-bounds memory access when parsing maliciously crafted input. The memory handling defect was corrected through improved bounds checking and validation logic during content parsing.

Affected Products

Safari versions prior to 18.6; iOS (iPhone OS) versions prior to 18.6; iPadOS versions prior to 18.6; macOS Sequoia versions prior to 15.6; tvOS versions prior to 18.6; visionOS versions prior to 2.6; and watchOS versions prior to 11.6. The CPE identifiers indicate the vulnerability affects all versions of Safari (cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*) and all major Apple operating systems (macOS, iOS/iPhone OS, iPadOS, tvOS, visionOS, watchOS) at the time of the advisory. Detailed security advisories for each platform are available via Apple Support documents 124147, 124149, 124152, 124153, 124154, and 124155 referenced at support.apple.com.

Remediation

Update to Safari 18.6 or later, iOS 18.6 or later, iPadOS 18.6 or later, macOS Sequoia 15.6 or later, tvOS 18.6 or later, visionOS 2.6 or later, and watchOS 11.6 or later. These patched versions include improved memory handling that corrects the buffer overflow. Users should enable automatic security updates through Settings > [System settings] > Software Update on their respective Apple devices. Until patches can be applied, users should avoid visiting untrusted or suspicious websites and disable JavaScript in Safari if practical. Apple's official security advisories at https://support.apple.com/en-us/124147 and related support articles provide detailed guidance for each affected product line.

Priority Score

33
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +32
POC: 0

Vendor Status

Share

CVE-2025-43212 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy