Safari
CVE-2025-46282
MEDIUM
Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
The issue was addressed with additional permissions checks. This issue is fixed in Safari 26.2, macOS Tahoe 26.2. An app may be able to access sensitive user data.
AnalysisAI
Safari and macOS allow local authenticated applications to access sensitive user data through improper permission enforcement. The vulnerability affects Safari versions prior to 26.2 and macOS versions prior to Tahoe 26.2, exploitable by apps running with user-level privileges that can bypass authorization checks to read protected user information. Apple has released patched versions with additional permission validation; EPSS data indicates minimal real-world exploitation likelihood despite the authenticated local attack vector.
Technical ContextAI
This vulnerability stems from inadequate permission checks in Safari and macOS (CWE-284: Improper Access Control), a classic authorization bypass flaw where the operating system or application fails to properly validate whether a process has the required privileges before granting access to sensitive resources. The issue affects the Safari browser engine and macOS kernel/framework layers responsible for enforcing data access policies. An authenticated local process (running with user-level permissions, PR:L per CVSS vector) can circumvent these checks to read confidential user data. The fix involved implementing additional permission validation layers, likely in sandbox policies, capability-based security checks, or file/data access control lists that Apple strengthened in Safari 26.2 and macOS Tahoe 26.2.
RemediationAI
Vendor-released patch: Update Safari to version 26.2 or later and macOS to Tahoe 26.2 or later. Both updates are available through Apple's standard software update mechanisms (System Settings > General > Software Update on macOS). Users should prioritize this patch if running untrusted local applications or shared-user systems. Workarounds are limited due to the local attack vector; the primary mitigation is enforcing strong local access controls and disabling execution of unvetted applications until patching is complete. See https://support.apple.com/en-us/125886 and https://support.apple.com/en-us/125892 for comprehensive patch availability and deployment details.
An issue was discovered in certain Apple products. Rated high severity (CVSS 8.8), this vulnerability is remotely exploi
Heap-based buffer overflow in Apple Safari 7.0.2 allows remote attackers to execute arbitrary code and bypass a sandbox
A use-after-free issue was addressed with improved memory management. Rated high severity (CVSS 8.8), this vulnerability
WebKit in Apple iOS before 9.3.3, Safari before 9.1.2, and tvOS before 9.2.2 allows remote attackers to execute arbitrar
The history implementation in WebKit, as used in Apple Safari before 6.2.6, 7.x before 7.1.6, and 8.x before 8.0.6, allo
WebKit, as used in Apple iOS before 8.3 and Apple Safari before 6.2.5, 7.x before 7.1.5, and 8.x before 8.0.5, does not
An issue was discovered in certain Apple products. Rated high severity (CVSS 8.8), this vulnerability is remotely exploi
An issue was discovered in certain Apple products. Rated high severity (CVSS 8.8), this vulnerability is remotely exploi
An issue was discovered in certain Apple products. Rated high severity (CVSS 8.8), this vulnerability is remotely exploi
An issue was discovered in certain Apple products. Rated high severity (CVSS 8.8), this vulnerability is remotely exploi
An issue was discovered in certain Apple products. Rated high severity (CVSS 8.8), this vulnerability is remotely exploi
An issue was discovered in certain Apple products. Rated high severity (CVSS 8.8), this vulnerability is remotely exploi
Same weakness CWE-284 – Improper Access Control
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today