Description
The issue was addressed with improved checks. This issue is fixed in Safari 18.3, iOS 18.3 and iPadOS 18.3, macOS Sequoia 15.3, tvOS 18.3, visionOS 2.3, watchOS 11.3. Processing maliciously crafted web content may lead to memory corruption.
Published: 2025-05-19
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Memory Corruption
Action: Apply Patch
AI Analysis

Impact

Processing maliciously crafted web content in Apple WebKit can lead to memory corruption. The flaw results from inadequate validation when parsing certain page elements, which may overwrite internal memory buffers. This represents a buffer overflow (CWE-119) and an integer overflow (CWE-129). An attacker who succeeds could cause applications that use WebKit—such as Safari or embedded web views—to crash, become unstable, or otherwise behave unpredictably.

Affected Systems

All Apple products that ship with the affected WebKit version are vulnerable, including Safari and the WebKit runtime on iOS, iPadOS, macOS, tvOS, visionOS, and watchOS. The flaw was resolved in Safari 18.3, iOS 18.3 and iPadOS 18.3, macOS Sequoia 15.3, tvOS 18.3, visionOS 2.3, and watchOS 11.3; earlier releases remain impacted.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, while the EPSS score of less than 1% suggests a low likelihood of widespread exploitation at present. The vulnerability is not listed in CISA’s KEV catalog. Exploitation would involve delivering specially crafted web content that the device renders through Safari or a WebKit‑based view, such as by visiting a malicious website or opening a malicious link in an email.

Generated by OpenCVE AI on April 29, 2026 at 02:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Safari to version 18.3 or newer, and install the corresponding OS updates that include the patched WebKit runtime—macOS Sequoia 15.3, iOS 18.3, iPadOS 18.3, tvOS 18.3, visionOS 2.3, and watchOS 11.3—which address the buffer overflow (CWE-119) and integer overflow (CWE-129) weaknesses.
  • If immediate updates are not possible, limit exposure by restricting the device to trusted content only—for example, by disabling or restricting WebKit‑based browsers or web views, or by implementing network filtering to block malicious sites.
  • Configure MDM or system update settings to enable automatic deployment of Safari and WebKit updates, reducing the manual patching window and keeping all Apple platforms current.

Generated by OpenCVE AI on April 29, 2026 at 02:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-15731 The issue was addressed with improved checks. This issue is fixed in Safari 18.3, visionOS 2.3, iOS 18.3 and iPadOS 18.3, macOS Sequoia 15.3, watchOS 11.3, tvOS 18.3. Processing maliciously crafted web content may lead to memory corruption.
History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description The issue was addressed with improved checks. This issue is fixed in Safari 18.3, visionOS 2.3, iOS 18.3 and iPadOS 18.3, macOS Sequoia 15.3, watchOS 11.3, tvOS 18.3. Processing maliciously crafted web content may lead to memory corruption. The issue was addressed with improved checks. This issue is fixed in Safari 18.3, iOS 18.3 and iPadOS 18.3, macOS Sequoia 15.3, tvOS 18.3, visionOS 2.3, watchOS 11.3. Processing maliciously crafted web content may lead to memory corruption.

Tue, 04 Nov 2025 22:30:00 +0000

Type Values Removed Values Added
References

Tue, 05 Aug 2025 00:15:00 +0000

Type Values Removed Values Added
Title webkitgtk: Processing maliciously crafted web content may lead to memory corruption
Weaknesses CWE-129
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 28 May 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple ipados
Apple iphone Os
Apple macos
Apple safari
Apple tvos
Apple visionos
Apple watchos
CPEs cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:visionos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:*
Vendors & Products Apple
Apple ipados
Apple iphone Os
Apple macos
Apple safari
Apple tvos
Apple visionos
Apple watchos

Mon, 19 May 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 19 May 2025 17:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Mon, 19 May 2025 16:15:00 +0000

Type Values Removed Values Added
Description The issue was addressed with improved checks. This issue is fixed in Safari 18.3, visionOS 2.3, iOS 18.3 and iPadOS 18.3, macOS Sequoia 15.3, watchOS 11.3, tvOS 18.3. Processing maliciously crafted web content may lead to memory corruption.
References

Subscriptions

Apple Ipados Iphone Os Macos Safari Tvos Visionos Watchos
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:22:41.590Z

Reserved: 2025-01-17T00:00:44.996Z

Link: CVE-2025-24189

cve-icon Vulnrichment

Updated: 2025-11-04T21:09:41.022Z

cve-icon NVD

Status : Modified

Published: 2025-05-19T16:15:28.323

Modified: 2026-04-02T19:19:15.560

Link: CVE-2025-24189

cve-icon Redhat

Severity : Important

Publid Date: 2025-08-01T00:00:00Z

Links: CVE-2025-24189 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T02:15:47Z

Weaknesses