Skip to main content

Safari CVE-2025-46282

MEDIUM
Improper Access Control (CWE-284)
2025-12-17 product-security@apple.com
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Apr 02, 2026 - 19:37 vuln.today
CVE Published
Dec 17, 2025 - 21:16 nvd
MEDIUM 5.5

DescriptionCVE.org

The issue was addressed with additional permissions checks. This issue is fixed in Safari 26.2, macOS Tahoe 26.2. An app may be able to access sensitive user data.

AnalysisAI

Safari and macOS allow local authenticated applications to access sensitive user data through improper permission enforcement. The vulnerability affects Safari versions prior to 26.2 and macOS versions prior to Tahoe 26.2, exploitable by apps running with user-level privileges that can bypass authorization checks to read protected user information. Apple has released patched versions with additional permission validation; EPSS data indicates minimal real-world exploitation likelihood despite the authenticated local attack vector.

Technical ContextAI

This vulnerability stems from inadequate permission checks in Safari and macOS (CWE-284: Improper Access Control), a classic authorization bypass flaw where the operating system or application fails to properly validate whether a process has the required privileges before granting access to sensitive resources. The issue affects the Safari browser engine and macOS kernel/framework layers responsible for enforcing data access policies. An authenticated local process (running with user-level permissions, PR:L per CVSS vector) can circumvent these checks to read confidential user data. The fix involved implementing additional permission validation layers, likely in sandbox policies, capability-based security checks, or file/data access control lists that Apple strengthened in Safari 26.2 and macOS Tahoe 26.2.

RemediationAI

Vendor-released patch: Update Safari to version 26.2 or later and macOS to Tahoe 26.2 or later. Both updates are available through Apple's standard software update mechanisms (System Settings > General > Software Update on macOS). Users should prioritize this patch if running untrusted local applications or shared-user systems. Workarounds are limited due to the local attack vector; the primary mitigation is enforcing strong local access controls and disabling execution of unvetted applications until patching is complete. See https://support.apple.com/en-us/125886 and https://support.apple.com/en-us/125892 for comprehensive patch availability and deployment details.

More in Safari

View all
CVE-2017-2547 HIGH POC
8.8 May 22

An issue was discovered in certain Apple products. Rated high severity (CVSS 8.8), this vulnerability is remotely exploi

CVE-2014-1303 CRITICAL POC
10.0 Mar 26

Heap-based buffer overflow in Apple Safari 7.0.2 allows remote attackers to execute arbitrary code and bypass a sandbox

CVE-2023-43000 HIGH POC
8.8 Nov 05

A use-after-free issue was addressed with improved memory management. Rated high severity (CVSS 8.8), this vulnerability

CVE-2016-4622 HIGH
8.8 Jul 22

WebKit in Apple iOS before 9.3.3, Safari before 9.1.2, and tvOS before 9.2.2 allows remote attackers to execute arbitrar

CVE-2015-1155 MEDIUM POC
4.3 May 08

The history implementation in WebKit, as used in Apple Safari before 6.2.6, 7.x before 7.1.6, and 8.x before 8.0.6, allo

CVE-2015-1126 MEDIUM POC
4.3 Apr 10

WebKit, as used in Apple iOS before 8.3 and Apple Safari before 6.2.5, 7.x before 7.1.5, and 8.x before 8.0.5, does not

CVE-2017-2446 HIGH POC
8.8 Apr 02

An issue was discovered in certain Apple products. Rated high severity (CVSS 8.8), this vulnerability is remotely exploi

CVE-2017-13802 HIGH POC
8.8 Nov 13

An issue was discovered in certain Apple products. Rated high severity (CVSS 8.8), this vulnerability is remotely exploi

CVE-2017-13795 HIGH POC
8.8 Nov 13

An issue was discovered in certain Apple products. Rated high severity (CVSS 8.8), this vulnerability is remotely exploi

CVE-2017-13794 HIGH POC
8.8 Nov 13

An issue was discovered in certain Apple products. Rated high severity (CVSS 8.8), this vulnerability is remotely exploi

CVE-2017-13792 HIGH POC
8.8 Nov 13

An issue was discovered in certain Apple products. Rated high severity (CVSS 8.8), this vulnerability is remotely exploi

CVE-2017-13785 HIGH POC
8.8 Nov 13

An issue was discovered in certain Apple products. Rated high severity (CVSS 8.8), this vulnerability is remotely exploi

Share

CVE-2025-46282 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy