CVE-2025-43265
MEDIUMCVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
3Tags
Description
An out-of-bounds read was addressed with improved input validation. This issue is fixed in Safari 18.6, iOS 18.6 and iPadOS 18.6, macOS Sequoia 15.6, tvOS 18.6, visionOS 2.6, watchOS 11.6. Processing maliciously crafted web content may disclose internal states of the app.
Analysis
Out-of-bounds read in Apple Safari and system WebKit implementations allows local attackers to disclose internal application state by processing maliciously crafted web content, affecting Safari 18.5 and earlier, iOS 18.5 and earlier, iPadOS 18.5 and earlier, macOS Sequoia 15.5 and earlier, tvOS 18.5 and earlier, visionOS 2.5 and earlier, and watchOS 11.5 and earlier. The vulnerability requires local access and user interaction but poses information disclosure risk with CVSS 4.0 and EPSS 0.02% (very low exploitation probability); no public exploit code or active exploitation has been identified.
Technical Context
The vulnerability is a classic out-of-bounds (OOB) read in WebKit, the rendering engine underlying Safari and all Apple system browsers. Out-of-bounds reads (CWE-125) occur when a program reads data from memory locations outside the allocated buffer boundaries, potentially exposing sensitive data such as internal pointers, cryptographic keys, or other application state. In this context, the issue is triggered through maliciously crafted web content-likely HTML, CSS, or JavaScript-processed by WebKit's parser or renderer. The attack vector is local (AV:L), meaning the attacker must have prior access to the target system or trick a local user into visiting a malicious webpage. The affected products span Apple's entire platform ecosystem (macOS, iOS, iPadOS, tvOS, visionOS, watchOS) via their shared WebKit foundation, as identified by the broad CPE strings covering all Apple operating systems and Safari browser.
Affected Products
The vulnerability affects Safari browser versions prior to 18.6 across all Apple platforms, as well as the underlying operating systems: iOS and iPadOS prior to 18.6, macOS Sequoia prior to 15.6, tvOS prior to 18.6, visionOS prior to 2.6, and watchOS prior to 11.6. All products share the affected WebKit library (cpe:2.3:a:apple:webkit), and specific CPE entries exist for each operating system and Safari. Affected product versions are those listed in Apple security updates HT15147, HT15149, HT15152, HT15153, HT15154, and HT15155 referenced in the official Apple security support pages.
Remediation
Apply the vendor-released patches immediately: update Safari to version 18.6 or later, iOS to version 18.6 or later, iPadOS to version 18.6 or later, macOS Sequoia to version 15.6 or later, tvOS to version 18.6 or later, visionOS to version 2.6 or later, and watchOS to version 11.6 or later. Each platform has a corresponding Apple security update advisory available at https://support.apple.com/en-us/124147 (macOS), https://support.apple.com/en-us/124149 (iOS), https://support.apple.com/en-us/124152 (iPadOS), https://support.apple.com/en-us/124153 (tvOS), https://support.apple.com/en-us/124154 (visionOS), and https://support.apple.com/en-us/124155 (watchOS). No interim workarounds exist; patching is the definitive remediation. Users should enable automatic updates where available to ensure timely deployment.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today