What is the CVSS score of CVE-2025-43265?

CVE-2025-43265 has a CVSS 3.1 base score of 4.0 (Medium). CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. EPSS exploitation probability: 0.0%.

Is there a patch available for CVE-2025-43265?

Yes, a patch is available for CVE-2025-43265. Update the affected software to the latest version immediately.

iOS CVE-2025-43265

MEDIUM

Out-of-bounds Read (CWE-125)

2025-07-30 product-security@apple.com

Information Disclosure Apple iOS macOS Red Hat Ipados Iphone Os Safari Tvos Visionos Watchos Suse

4.0

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Lifecycle Timeline

Patch released

Apr 06, 2026 - 08:30 nvd

Patch available

Analysis Generated

Apr 02, 2026 - 19:37 vuln.today

CVE Published

Jul 30, 2025 - 00:15 nvd

MEDIUM 4.0

DescriptionNVD

An out-of-bounds read was addressed with improved input validation. This issue is fixed in Safari 18.6, iOS 18.6 and iPadOS 18.6, macOS Sequoia 15.6, tvOS 18.6, visionOS 2.6, watchOS 11.6. Processing maliciously crafted web content may disclose internal states of the app.

AnalysisAI

Out-of-bounds read in Apple Safari and system WebKit implementations allows local attackers to disclose internal application state by processing maliciously crafted web content, affecting Safari 18.5 and earlier, iOS 18.5 and earlier, iPadOS 18.5 and earlier, macOS Sequoia 15.5 and earlier, tvOS 18.5 and earlier, visionOS 2.5 and earlier, and watchOS 11.5 and earlier. The vulnerability requires local access and user interaction but poses information disclosure risk with CVSS 4.0 and EPSS 0.02% (very low exploitation probability); no public exploit code or active exploitation has been identified.

Technical ContextAI

The vulnerability is a classic out-of-bounds (OOB) read in WebKit, the rendering engine underlying Safari and all Apple system browsers. Out-of-bounds reads (CWE-125) occur when a program reads data from memory locations outside the allocated buffer boundaries, potentially exposing sensitive data such as internal pointers, cryptographic keys, or other application state. In this context, the issue is triggered through maliciously crafted web content-likely HTML, CSS, or JavaScript-processed by WebKit's parser or renderer. The attack vector is local (AV:L), meaning the attacker must have prior access to the target system or trick a local user into visiting a malicious webpage. The affected products span Apple's entire platform ecosystem (macOS, iOS, iPadOS, tvOS, visionOS, watchOS) via their shared WebKit foundation, as identified by the broad CPE strings covering all Apple operating systems and Safari browser.

RemediationAI

Apply the vendor-released patches immediately: update Safari to version 18.6 or later, iOS to version 18.6 or later, iPadOS to version 18.6 or later, macOS Sequoia to version 15.6 or later, tvOS to version 18.6 or later, visionOS to version 2.6 or later, and watchOS to version 11.6 or later. Each platform has a corresponding Apple security update advisory available at https://support.apple.com/en-us/124147 (macOS), https://support.apple.com/en-us/124149 (iOS), https://support.apple.com/en-us/124152 (iPadOS), https://support.apple.com/en-us/124153 (tvOS), https://support.apple.com/en-us/124154 (visionOS), and https://support.apple.com/en-us/124155 (watchOS). No interim workarounds exist; patching is the definitive remediation. Users should enable automatic updates where available to ensure timely deployment.