CVE-2025-43216
MEDIUMCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Lifecycle Timeline
3Tags
Description
A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 18.6, iOS 18.6 and iPadOS 18.6, iPadOS 17.7.9, macOS Sequoia 15.6, tvOS 18.6, visionOS 2.6, watchOS 11.6. Processing maliciously crafted web content may lead to an unexpected Safari crash.
Analysis
Safari and Apple operating systems contain a use-after-free vulnerability in web content processing that causes unexpected application crashes when users visit maliciously crafted websites. The flaw affects Safari 18.5 and earlier, iOS 18.5 and earlier, iPadOS 18.5 and earlier (also iPadOS 17.7.8 and earlier), macOS Sequoia 15.5 and earlier, tvOS 18.5 and earlier, visionOS 2.5 and earlier, and watchOS 11.5 and earlier. Remote attackers can trigger a denial-of-service condition requiring only user interaction to visit a malicious page, with no elevated privileges required. Apple has released patches for all affected platforms; the EPSS score of 0.10% (28th percentile) indicates low real-world exploitation probability despite the accessibility of the attack vector.
Technical Context
The vulnerability stems from improper memory management in WebKit's web content rendering engine, classified as CWE-416 (use-after-free). When processing specially crafted web content, the engine fails to properly manage object lifecycles, allowing a freed memory region to be dereferenced during subsequent rendering operations. This memory safety issue affects the core web rendering path that processes HTML, CSS, and JavaScript in Safari across all Apple platforms (macOS, iOS, iPadOS, tvOS, visionOS, and watchOS). The use-after-free occurs within the rendering pipeline that handles web page layout and display, making it reachable through standard web browsing without special plugins or extensions.
Affected Products
Safari versions prior to 18.6 are affected, along with iOS prior to 18.6, iPadOS 18.5 and earlier (including iPadOS 17.7.8 and earlier), macOS Sequoia prior to version 15.6, tvOS prior to 18.6, visionOS prior to 2.6, and watchOS prior to 11.6. The vulnerability is tracked across multiple Apple operating system families per CPE identifiers covering apple:safari, apple:iphone_os, apple:ipados, apple:macos, apple:tvos, apple:visionos, and apple:watchos. Specific security advisories are available at Apple support URLs 124147 (Safari 18.6), 124148 (iOS 18.6), 124149 (iPadOS 18.6), 124152 (iPadOS 17.7.9), 124153 (macOS Sequoia 15.6), 124154 (tvOS 18.6), and 124155 (visionOS 2.6 and watchOS 11.6).
Remediation
Users should immediately update to the patched versions: Safari 18.6 or later, iOS 18.6 or later, iPadOS 18.6 or later (or iPadOS 17.7.9 or later for devices not eligible for iPadOS 18), macOS Sequoia 15.6 or later, tvOS 18.6 or later, visionOS 2.6 or later, and watchOS 11.6 or later. These updates address the use-after-free issue with improved memory management in WebKit. No workaround is available for users unable to immediately patch; the primary mitigation is to avoid visiting untrusted websites until systems are updated. Detailed patch release notes and update instructions are provided in Apple's official security advisories at support.apple.com (references 124147-124155). Enterprise environments should prioritize patch deployment for systems where users browse untrusted content.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today