Description
A logic issue was addressed with improved checks. This issue is fixed in iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4, tvOS 18.4, visionOS 2.4, watchOS 11.4. Processing maliciously crafted web content may result in the disclosure of process memory.
Published: 2025-03-31
Score: 6.5 Medium
EPSS: 1.1% Low
KEV: No
Impact: Information Disclosure
Action: Apply Patch
AI Analysis

Impact

A logic flaw in the handling of web content can allow an attacker to gain access to process memory from maliciously crafted web pages or applications. The vulnerability may reveal sensitive data stored in memory, compromising confidentiality of data that the device processes. Based on the description, the likely attack vector is through web content presented to the browser or web‑view components, and an attacker would need to lure a user to a malicious site or embed crafted content in an application.

Affected Systems

Apple devices running iOS, iPadOS, macOS, tvOS, visionOS and watchOS are affected. The flaw is fixed in iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4, tvOS 18.4, visionOS 2.4 and watchOS 11.4. Earlier releases of these operating systems remain vulnerable.

Risk and Exploitability

The CVSS score of 6.5 marks this vulnerability as a medium severity issue, and the EPSS score of 1% indicates that exploitation is possible, though relatively low in probability. The vulnerability is not listed in the CISA KEV catalog, suggesting no known widespread exploitation at the time of analysis. An attacker could exploit the flaw by directing a user to malicious web content or by embedding crafted content in an application that renders web content. Because the flaw allows disclosure of process memory, the impact could be substantial if confidential data, credentials or encryption keys are present in memory.

Generated by OpenCVE AI on April 28, 2026 at 19:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the operating system to the latest patched release (iOS 18.4, iPadOS 18.4, macOS Sequoia 15.4, tvOS 18.4, visionOS 2.4, watchOS 11.4).
  • Enable automatic updates for all Apple operating systems to ensure timely delivery of security patches.
  • Avoid or sandbox web content from untrusted sources, especially when visiting unknown websites or using third‑party applications that render web pages.

Generated by OpenCVE AI on April 28, 2026 at 19:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8995 A logic issue was addressed with improved checks. This issue is fixed in visionOS 2.4, iOS 18.4 and iPadOS 18.4, tvOS 18.4, macOS Sequoia 15.4. Processing maliciously crafted web content may result in the disclosure of process memory.
History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description A logic issue was addressed with improved checks. This issue is fixed in visionOS 2.4, iOS 18.4 and iPadOS 18.4, tvOS 18.4, macOS Sequoia 15.4. Processing maliciously crafted web content may result in the disclosure of process memory. A logic issue was addressed with improved checks. This issue is fixed in iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4, tvOS 18.4, visionOS 2.4, watchOS 11.4. Processing maliciously crafted web content may result in the disclosure of process memory.
References

Mon, 03 Nov 2025 21:30:00 +0000

Type Values Removed Values Added
References

Mon, 03 Nov 2025 20:30:00 +0000

Type Values Removed Values Added
References

Mon, 07 Apr 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple ipados
Apple iphone Os
Apple macos
Apple tvos
Apple visionos
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:visionos:*:*:*:*:*:*:*:*
Vendors & Products Apple
Apple ipados
Apple iphone Os
Apple macos
Apple tvos
Apple visionos

Wed, 02 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 31 Mar 2025 22:45:00 +0000

Type Values Removed Values Added
Description A logic issue was addressed with improved checks. This issue is fixed in visionOS 2.4, iOS 18.4 and iPadOS 18.4, tvOS 18.4, macOS Sequoia 15.4. Processing maliciously crafted web content may result in the disclosure of process memory.
References

Subscriptions

Apple Ipados Iphone Os Macos Tvos Visionos
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:22:00.855Z

Reserved: 2025-01-17T00:00:44.997Z

Link: CVE-2025-24194

cve-icon Vulnrichment

Updated: 2025-11-03T21:07:12.294Z

cve-icon NVD

Status : Modified

Published: 2025-03-31T23:15:17.807

Modified: 2026-04-02T19:19:16.497

Link: CVE-2025-24194

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T19:00:20Z

Weaknesses