CVE-2025-43213

MEDIUM
2025-07-30 [email protected]
6.5
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Patch Released
Apr 06, 2026 - 08:30 nvd
Patch available
Analysis Generated
Apr 02, 2026 - 19:37 vuln.today
CVE Published
Jul 30, 2025 - 00:15 nvd
MEDIUM 6.5

Tags

Apple Safari iOS macOS Denial Of Service Memory Corruption Ipados Iphone Os Tvos Visionos Watchos Redhat Suse

Description

The issue was addressed with improved memory handling. This issue is fixed in Safari 18.6, iOS 18.6 and iPadOS 18.6, macOS Sequoia 15.6, tvOS 18.6, visionOS 2.6, watchOS 11.6. Processing maliciously crafted web content may lead to an unexpected Safari crash.

Analysis

Safari and Apple platform web content processing crashes due to a buffer overflow vulnerability when handling maliciously crafted web content. Affects Safari 18.5 and earlier, iOS 18.5 and earlier, iPadOS 18.5 and earlier, macOS Sequoia 15.5 and earlier, tvOS 18.5 and earlier, visionOS 2.5 and earlier, and watchOS 11.5 and earlier. Unauthenticated remote attackers can trigger a denial of service by enticing users to visit a malicious webpage, resulting in application crash with no data theft or code execution capability. No public exploit identified at time of analysis; EPSS score of 0.12% indicates low real-world exploitation probability despite moderate CVSS rating.

Technical Context

The vulnerability is a buffer overflow (CWE-119) within Apple's web content rendering engine, affecting memory handling during processing of specially crafted HTML, JavaScript, or other web-native content formats. The issue spans multiple Apple platforms sharing common WebKit-based rendering components, including Safari (standalone browser), iOS/iPadOS (mobile operating systems), macOS Sequoia (desktop), tvOS (television), visionOS (spatial computing), and watchOS (wearable). The buffer overflow occurs without memory safety violations in safe languages, suggesting insufficient bounds checking in native code handling parsed web content-a common attack surface in browser engines when processing malformed or adversarial markup and scripts.

Affected Products

Safari versions prior to 18.6, iOS prior to 18.6, iPadOS prior to 18.6, macOS Sequoia prior to 15.6, tvOS prior to 18.6, visionOS prior to 2.6, and watchOS prior to 11.6 are affected. Specific CPE strings indicate all versions of these products are covered by the vulnerability profile; patch deployment should target all Safari 18.5 and earlier, all iOS/iPadOS versions through 18.5, all macOS Sequoia versions through 15.5, all tvOS through 18.5, all visionOS through 2.5, and all watchOS through 11.5. Apple's advisory resources for each platform are listed in references (support.apple.com articles 124147-124155).

Remediation

Vendor-released patch: Safari 18.6, iOS 18.6, iPadOS 18.6, macOS Sequoia 15.6, tvOS 18.6, visionOS 2.6, and watchOS 11.6. All users should immediately update their Apple devices and browsers to these patched versions. Update instructions are provided in Apple's official support documents: https://support.apple.com/en-us/124147 (iOS), https://support.apple.com/en-us/124149 (iPadOS), https://support.apple.com/en-us/124152 (macOS Sequoia), https://support.apple.com/en-us/124153 (tvOS), https://support.apple.com/en-us/124154 (visionOS), and https://support.apple.com/en-us/124155 (watchOS). No known workarounds exist; patching is the only remediation. Until updates can be deployed, users should avoid visiting untrusted or suspicious websites.

Priority Score

33
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +32
POC: 0

Vendor Status

Share

CVE-2025-43213 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy