iOS CVE-2025-43531
LOWCVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L
Lifecycle Timeline
2DescriptionNVD
A race condition was addressed with improved state handling. This issue is fixed in Safari 26.2, iOS 18.7.3 and iPadOS 18.7.3, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, tvOS 26.2, visionOS 26.2, watchOS 26.2. Processing maliciously crafted web content may lead to an unexpected process crash.
AnalysisAI
Safari and Apple operating systems contain a race condition that crashes the rendering process when processing maliciously crafted web content, affecting Safari 26.2 and earlier, iOS 18.7.3 and earlier, iPadOS 18.7.3 and earlier, macOS Tahoe 26.2 and earlier, tvOS 26.2 and earlier, visionOS 26.2 and earlier, and watchOS 26.2 and earlier. The vulnerability requires user interaction (clicking a malicious link or visiting a hostile website) and has high attack complexity, resulting in denial of service through process crash rather than data compromise. No public exploit code has been identified, EPSS exploitation probability is very low at 0.12%, and Apple has released patched versions across all affected platforms.
Technical ContextAI
This vulnerability is a race condition (CWE-362) in the WebKit rendering engine that underpins Safari and embedded web functionality across Apple's operating systems. Race conditions occur when concurrent processes access shared state without proper synchronization, leading to unpredictable behavior depending on execution timing. In this case, the race condition occurs during web content processing and results in an unexpected process crash, suggesting improper state management during asynchronous operations or multi-threaded rendering. The fix involved implementing improved state handling mechanisms to eliminate the timing-dependent window where the race condition could manifest. The wide cross-platform impact (Safari, iOS, iPadOS, macOS, tvOS, visionOS, watchOS) indicates the vulnerability exists in shared WebKit code used across Apple's entire ecosystem.
RemediationAI
Update to Safari 26.2 or later, iOS 18.7.3 or later (or iOS 26.2 if available), iPadOS 18.7.3 or later (or iPadOS 26.2 if available), macOS Tahoe 26.2 or later, tvOS 26.2 or later, visionOS 26.2 or later, and watchOS 26.2 or later. Patches are available across all affected platforms. Users should enable automatic updates in Settings > General > Software Update (iOS/iPadOS/tvOS/watchOS) or System Settings > General > Software Update (macOS/visionOS) to receive security updates automatically. No workarounds are available for this race condition vulnerability; patching is required. Apple security advisories at https://support.apple.com/en-us/125884 through https://support.apple.com/en-us/125892 contain detailed patch information for each platform.
More from same product – last 7 days
SQL injection in Pimcore's CustomReportsBundle (versions ≤ 12.3.5) lets an authenticated user holding the reports_config
Arbitrary code execution in Docker Model Runner's vllm-metal inference backend on macOS allows any container on the Dock
Arbitrary code execution in Docker Desktop's Model Runner on macOS allows any container on the Docker network to escape
Local privilege escalation in Apple macOS allows a malicious app already running with low privileges to elevate to root
Local privilege escalation in Canonical Multipass for macOS before 1.16.3 allows a low-privileged local user to obtain r
Share
External POC / Exploit Code
Leaving vuln.today