CVE-2025-43531
LOWCVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L
Lifecycle Timeline
2Description
A race condition was addressed with improved state handling. This issue is fixed in Safari 26.2, iOS 18.7.3 and iPadOS 18.7.3, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, tvOS 26.2, visionOS 26.2, watchOS 26.2. Processing maliciously crafted web content may lead to an unexpected process crash.
Analysis
Safari and Apple operating systems contain a race condition that crashes the rendering process when processing maliciously crafted web content, affecting Safari 26.2 and earlier, iOS 18.7.3 and earlier, iPadOS 18.7.3 and earlier, macOS Tahoe 26.2 and earlier, tvOS 26.2 and earlier, visionOS 26.2 and earlier, and watchOS 26.2 and earlier. The vulnerability requires user interaction (clicking a malicious link or visiting a hostile website) and has high attack complexity, resulting in denial of service through process crash rather than data compromise. No public exploit code has been identified, EPSS exploitation probability is very low at 0.12%, and Apple has released patched versions across all affected platforms.
Technical Context
This vulnerability is a race condition (CWE-362) in the WebKit rendering engine that underpins Safari and embedded web functionality across Apple's operating systems. Race conditions occur when concurrent processes access shared state without proper synchronization, leading to unpredictable behavior depending on execution timing. In this case, the race condition occurs during web content processing and results in an unexpected process crash, suggesting improper state management during asynchronous operations or multi-threaded rendering. The fix involved implementing improved state handling mechanisms to eliminate the timing-dependent window where the race condition could manifest. The wide cross-platform impact (Safari, iOS, iPadOS, macOS, tvOS, visionOS, watchOS) indicates the vulnerability exists in shared WebKit code used across Apple's entire ecosystem.
Affected Products
The vulnerability affects Apple Safari versions prior to 26.2, iOS and iPhone OS versions prior to 18.7.3 and 26.2, iPadOS versions prior to 18.7.3 and 26.2, macOS Tahoe versions prior to 26.2, tvOS versions prior to 26.2, visionOS versions prior to 26.2, and watchOS versions prior to 26.2. The CPE entries confirm impact across all major Apple platforms: cpe:2.3:a:apple:safari, cpe:2.3:o:apple:iphone_os, cpe:2.3:o:apple:ipados, cpe:2.3:o:apple:macos, cpe:2.3:o:apple:tvos, cpe:2.3:o:apple:visionos, and cpe:2.3:o:apple:watchos. Refer to Apple security advisories 125884 through 125892 for platform-specific version information and affected build numbers.
Remediation
Update to Safari 26.2 or later, iOS 18.7.3 or later (or iOS 26.2 if available), iPadOS 18.7.3 or later (or iPadOS 26.2 if available), macOS Tahoe 26.2 or later, tvOS 26.2 or later, visionOS 26.2 or later, and watchOS 26.2 or later. Patches are available across all affected platforms. Users should enable automatic updates in Settings > General > Software Update (iOS/iPadOS/tvOS/watchOS) or System Settings > General > Software Update (macOS/visionOS) to receive security updates automatically. No workarounds are available for this race condition vulnerability; patching is required. Apple security advisories at https://support.apple.com/en-us/125884 through https://support.apple.com/en-us/125892 contain detailed patch information for each platform.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today