CVE-2025-46282

MEDIUM
2025-12-17 [email protected]
5.5
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Apr 02, 2026 - 19:37 vuln.today
CVE Published
Dec 17, 2025 - 21:16 nvd
MEDIUM 5.5

Tags

Apple Safari macOS Information Disclosure

Description

The issue was addressed with additional permissions checks. This issue is fixed in Safari 26.2, macOS Tahoe 26.2. An app may be able to access sensitive user data.

Analysis

Safari and macOS allow local authenticated applications to access sensitive user data through improper permission enforcement. The vulnerability affects Safari versions prior to 26.2 and macOS versions prior to Tahoe 26.2, exploitable by apps running with user-level privileges that can bypass authorization checks to read protected user information. Apple has released patched versions with additional permission validation; EPSS data indicates minimal real-world exploitation likelihood despite the authenticated local attack vector.

Technical Context

This vulnerability stems from inadequate permission checks in Safari and macOS (CWE-284: Improper Access Control), a classic authorization bypass flaw where the operating system or application fails to properly validate whether a process has the required privileges before granting access to sensitive resources. The issue affects the Safari browser engine and macOS kernel/framework layers responsible for enforcing data access policies. An authenticated local process (running with user-level permissions, PR:L per CVSS vector) can circumvent these checks to read confidential user data. The fix involved implementing additional permission validation layers, likely in sandbox policies, capability-based security checks, or file/data access control lists that Apple strengthened in Safari 26.2 and macOS Tahoe 26.2.

Affected Products

Apple Safari versions prior to 26.2 are vulnerable, as are macOS versions prior to Tahoe 26.2 (cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:* and cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*). The vulnerability spans all Safari releases before 26.2 and all macOS releases before Tahoe 26.2. Exact version ranges and SKU details are available in Apple's security advisories at https://support.apple.com/en-us/125886 (macOS advisory) and https://support.apple.com/en-us/125892 (Safari advisory).

Remediation

Vendor-released patch: Update Safari to version 26.2 or later and macOS to Tahoe 26.2 or later. Both updates are available through Apple's standard software update mechanisms (System Settings > General > Software Update on macOS). Users should prioritize this patch if running untrusted local applications or shared-user systems. Workarounds are limited due to the local attack vector; the primary mitigation is enforcing strong local access controls and disabling execution of unvetted applications until patching is complete. See https://support.apple.com/en-us/125886 and https://support.apple.com/en-us/125892 for comprehensive patch availability and deployment details.

Priority Score

28
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +28
POC: 0

Share

CVE-2025-46282 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy