CVE-2025-43511

MEDIUM
2025-12-12 [email protected]
6.5
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Patch Released
Apr 06, 2026 - 08:30 nvd
Patch available
Analysis Generated
Apr 02, 2026 - 19:37 vuln.today
CVE Published
Dec 12, 2025 - 21:15 nvd
MEDIUM 6.5

Tags

Apple Safari iOS macOS Use After Free Denial Of Service Ipados Iphone Os Redhat Suse

Description

A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 26.2, iOS 18.7.2 and iPadOS 18.7.2, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, visionOS 26.2, watchOS 26.2. Processing maliciously crafted web content may lead to an unexpected process crash.

Analysis

Use-after-free memory corruption in Apple WebKit allows remote attackers to crash Safari and iOS/iPadOS applications via maliciously crafted web content, resulting in denial of service. The vulnerability affects Safari 26.2, iOS 18.7.2 and 26.2, iPadOS 18.7.2 and 26.2, macOS Tahoe 26.2, visionOS 26.2, and watchOS 26.2. No public exploit code has been identified, and the vulnerability is not confirmed as actively exploited; however, the network-accessible attack vector and low complexity make it a moderate priority despite the low EPSS score.

Technical Context

This use-after-free vulnerability (CWE-416) resides in WebKit's memory management subsystem, the rendering engine powering Safari and embedded browsers across Apple platforms. Use-after-free flaws occur when code attempts to access memory that has been deallocated, typically resulting in out-of-bounds reads or writes. When triggered by processing specially crafted web content, the memory management defect causes an unexpected process crash rather than information disclosure or code execution, indicating the vulnerability manifests primarily as a denial-of-service condition. The vulnerability affects multiple Apple OS versions and Safari, suggesting the defect exists in shared WebKit code across the ecosystem.

Affected Products

Apple Safari version 26.2 and earlier, iOS 18.7.2 and earlier and version 26.2 and earlier (CPE: cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*), iPadOS 18.7.2 and earlier and version 26.2 and earlier (CPE: cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*), macOS Tahoe 26.2 and earlier, visionOS 26.2 and earlier, and watchOS 26.2 and earlier. Complete advisory details are available at https://support.apple.com/en-us/125633 and related support pages 125884, 125886, 125890, 125891, and 125892.

Remediation

Vendor-released patches are available: Safari users should update to version 26.2 or later; iOS users should update to iOS 18.7.2 or iOS 26.2; iPadOS users should update to iPadOS 18.7.2 or iPadOS 26.2; macOS users should update to macOS Tahoe 26.2; visionOS users should update to visionOS 26.2; and watchOS users should update to watchOS 26.2. Immediate patching is recommended to eliminate exposure to remote denial-of-service attacks via maliciously crafted web content. Users unable to update immediately should avoid visiting untrusted or suspicious websites and consider using web content blockers or security extensions as temporary mitigation. Detailed patch instructions and security advisories are available at https://support.apple.com/en-us/125633.

Priority Score

33
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +32
POC: 0

Vendor Status

Share

CVE-2025-43511 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy