CVE-2025-43536

MEDIUM
2025-12-17 [email protected]
4.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

3
Patch Released
Apr 06, 2026 - 08:30 nvd
Patch available
Analysis Generated
Apr 02, 2026 - 19:37 vuln.today
CVE Published
Dec 17, 2025 - 21:16 nvd
MEDIUM 4.3

Tags

Apple Safari iOS macOS Use After Free Denial Of Service Ipados Iphone Os Redhat Suse

Description

A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 26.2, iOS 18.7.3 and iPadOS 18.7.3, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2. Processing maliciously crafted web content may lead to an unexpected process crash.

Analysis

Use-after-free memory corruption in Apple's WebKit rendering engine allows remote attackers to crash Safari and iOS/iPadOS applications by processing maliciously crafted web content, requiring only user interaction (page visit) and no authentication. The vulnerability affects Safari 26.2, iOS 18.7.3 and iOS 26.2, iPadOS 18.7.3 and iPadOS 26.2, and macOS Tahoe 26.2 and earlier versions. With an EPSS score of 0.06% and no public exploit confirmed, this represents a low real-world exploitation priority despite the moderate CVSS 4.3 severity rating, with impact limited to denial of service through process termination.

Technical Context

The vulnerability stems from a use-after-free condition (CWE-416) in WebKit, Apple's rendering engine shared across Safari, iOS Safari, and other bundled web-based applications. Use-after-free occurs when memory is accessed after it has been freed, leading to potential memory corruption. In this case, improved memory management was implemented to prevent premature deallocation of web content resources during processing. The vulnerability affects all major Apple platforms via their CPE identifiers: Apple Safari (cpe:2.3:a:apple:safari), iPhone OS (cpe:2.3:o:apple:iphone_os), iPadOS (cpe:2.3:o:apple:ipados), and macOS (cpe:2.3:o:apple:macos). The attack vector requires network access to serve or deliver malicious web content, and the user interaction requirement (UI:R in CVSS vector) mandates that a user visit or interact with the malicious page to trigger the memory corruption.

Affected Products

Apple Safari in version 26.2 and earlier, Apple iOS in versions 18.7.3 and earlier as well as iOS 26.2 and earlier, Apple iPadOS in versions 18.7.3 and earlier as well as iPadOS 26.2 and earlier, and Apple macOS Tahoe 26.2 and earlier are affected. The vulnerability impacts all users of these platforms who process untrusted web content. Detailed advisories with affected version ranges are available at https://support.apple.com/en-us/125884, https://support.apple.com/en-us/125885, https://support.apple.com/en-us/125886, and https://support.apple.com/en-us/125892.

Remediation

Vendor-released patches are available: update Safari to version 26.2 or later, iOS to version 18.7.3 or later or iOS 26.2 or later, iPadOS to version 18.7.3 or later or iPadOS 26.2 or later, and macOS to Tahoe 26.2 or later. Users should enable automatic security updates where possible, or manually update through Settings > General > Software Update on iOS/iPadOS and System Settings > General > Software Update on macOS. For Safari users on macOS, updates are bundled with macOS system updates. No workarounds are documented; patching is the primary remediation path. Refer to the official Apple security advisories at https://support.apple.com/en-us/125884, https://support.apple.com/en-us/125885, https://support.apple.com/en-us/125886, and https://support.apple.com/en-us/125892 for device-specific guidance.

Priority Score

22
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +22
POC: 0

Vendor Status

Share

CVE-2025-43536 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy