Description
This issue was addressed through improved state management. This issue is fixed in Safari 18.3, iOS 18.3 and iPadOS 18.3, macOS Sequoia 15.3, tvOS 18.3, visionOS 2.3, watchOS 11.3. Processing maliciously crafted web content may lead to an unexpected process crash.
Published: 2025-01-27
Score: 6.5 Medium
EPSS: 1.2% Low
KEV: No
Impact: Denial of Service (process crash)
Action: Patch Immediately
AI Analysis

Impact

Improved state management was required to address an issue in WebKitGTK where maliciously crafted web content could trigger an unexpected process crash. The vulnerability involves memory‑handling weaknesses, as indicated by CWE-119 (Buffer Overflow) and CWE-125 (Out‑of‑Bounds Read). A successful exploitation would cause the WebKit engine to terminate, resulting in a denial of service for any application or web page rendering that content.

Affected Systems

Apple users running Safari, iOS, iPadOS, macOS Sequoia, tvOS, visionOS, and watchOS are impacted on releases earlier than Safari 18.3, iOS 18.3, iPadOS 18.3, macOS Sequoia 15.3, tvOS 18.3, visionOS 2.3, and watchOS 11.3. The vulnerability is also present on Red Hat Enterprise Linux 8 and 9 platforms as denoted by the associated CPE strings, though specific affected RHEL releases are not enumerated in the advisory.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, and the EPSS score of 1% suggests a low but non‑zero likelihood of exploitation in the near term. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is personal or network‑based delivery of maliciously crafted web content rendered by a vulnerable WebKitGTK instance. An attacker would need to cause a user to visit a site or supply crafted web assets that trigger the crash, leading to denial of service for that user or for other processes relying on WebKit.

Generated by OpenCVE AI on April 28, 2026 at 12:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Safari 18.3 on macOS Sequoia 15.3 and earlier versions, iOS 18.3, iPadOS 18.3, tvOS 18.3, visionOS 2.3, and watchOS 11.3.
  • Apply the corresponding security update for Red Hat Enterprise Linux 8 and 9 through the official Red Hat package manager (yum/dnf) or security advisories that address the WebKitGTK vulnerability.
  • If an update cannot be applied immediately, restrict use of WebKitGTK to trusted content streams or run the WebKit‑based application in a hardened sandbox and ensure validation of all web assets before rendering.

Generated by OpenCVE AI on April 28, 2026 at 12:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4051-1 webkit2gtk security update
Debian DSA Debian DSA DSA-5865-1 webkit2gtk security update
EUVD EUVD EUVD-2025-3664 This issue was addressed through improved state management. This issue is fixed in visionOS 2.3, Safari 18.3, iOS 18.3 and iPadOS 18.3, macOS Sequoia 15.3, watchOS 11.3, tvOS 18.3. Processing maliciously crafted web content may lead to an unexpected process crash.
Ubuntu USN Ubuntu USN USN-7279-1 WebKitGTK vulnerabilities
History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description This issue was addressed through improved state management. This issue is fixed in visionOS 2.3, Safari 18.3, iOS 18.3 and iPadOS 18.3, macOS Sequoia 15.3, watchOS 11.3, tvOS 18.3. Processing maliciously crafted web content may lead to an unexpected process crash. This issue was addressed through improved state management. This issue is fixed in Safari 18.3, iOS 18.3 and iPadOS 18.3, macOS Sequoia 15.3, tvOS 18.3, visionOS 2.3, watchOS 11.3. Processing maliciously crafted web content may lead to an unexpected process crash.

Mon, 03 Nov 2025 21:30:00 +0000

Type Values Removed Values Added
References

Mon, 07 Jul 2025 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Els
CPEs cpe:/o:redhat:rhel_els:7
Vendors & Products Redhat rhel Els

Tue, 18 Mar 2025 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125

Tue, 04 Mar 2025 03:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat enterprise Linux
CPEs cpe:/a:redhat:enterprise_linux:8
cpe:/a:redhat:enterprise_linux:9
cpe:/a:redhat:rhel_aus:8.6
cpe:/a:redhat:rhel_e4s:8.6
cpe:/a:redhat:rhel_eus:9.2
cpe:/a:redhat:rhel_eus:9.4
cpe:/a:redhat:rhel_tus:8.6
Vendors & Products Redhat enterprise Linux
References

Mon, 03 Mar 2025 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple ipados
Apple iphone Os
Apple macos
Apple safari
Apple tvos
Apple visionos
Apple watchos
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:visionos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:*
Vendors & Products Apple
Apple ipados
Apple iphone Os
Apple macos
Apple safari
Apple tvos
Apple visionos
Apple watchos
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

Mon, 03 Mar 2025 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat
Redhat rhel Aus
Redhat rhel E4s
Redhat rhel Eus
Redhat rhel Tus
CPEs cpe:/a:redhat:rhel_aus:8.2
cpe:/a:redhat:rhel_aus:8.4
cpe:/a:redhat:rhel_e4s:8.4
cpe:/a:redhat:rhel_e4s:9.0
cpe:/a:redhat:rhel_eus:8.8
cpe:/a:redhat:rhel_tus:8.4
Vendors & Products Redhat
Redhat rhel Aus
Redhat rhel E4s
Redhat rhel Eus
Redhat rhel Tus

Tue, 18 Feb 2025 20:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Fri, 14 Feb 2025 03:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119

Wed, 12 Feb 2025 13:45:00 +0000

Type Values Removed Values Added
Title webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash
References
Metrics threat_severity

None

 threat_severity

Important

Tue, 28 Jan 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 27 Jan 2025 22:00:00 +0000

Type Values Removed Values Added
Description This issue was addressed through improved state management. This issue is fixed in visionOS 2.3, Safari 18.3, iOS 18.3 and iPadOS 18.3, macOS Sequoia 15.3, watchOS 11.3, tvOS 18.3. Processing maliciously crafted web content may lead to an unexpected process crash.
References

Subscriptions

Apple Ipados Iphone Os Macos Safari Tvos Visionos Watchos
Redhat Enterprise Linux Rhel Aus Rhel E4s Rhel Els Rhel Eus Rhel Tus
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:14:51.939Z

Reserved: 2025-01-17T00:00:44.988Z

Link: CVE-2025-24162

cve-icon Vulnrichment

Updated: 2025-11-03T21:05:17.372Z

cve-icon NVD

Status : Modified

Published: 2025-01-27T22:15:20.167

Modified: 2026-04-02T19:19:10.227

Link: CVE-2025-24162

cve-icon Redhat

Severity : Important

Publid Date: 2025-01-27T21:45:54Z

Links: CVE-2025-24162 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T12:15:30Z

Weaknesses