Description
A buffer overflow issue was addressed with improved memory handling. This issue is fixed in Safari 18.4, iOS 18.4 and iPadOS 18.4, iPadOS 17.7.6, macOS Sequoia 15.4, tvOS 18.4, watchOS 11.4. Processing maliciously crafted web content may lead to an unexpected process crash.
Published: 2025-03-31
Score: 7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A buffer overflow in WebKitGTK occurs when the browser processes maliciously crafted web content. The flaw corrupts memory during parsing, causing the rendering process to crash. The crash results in a denial‑of‑service condition for the affected system."

Affected Systems

Apple products – Safari, iOS, iPadOS, macOS Sequoia, tvOS and watchOS – are vulnerable in versions up to Safari 18.4, iOS 18.4, iPadOS 18.4, iPadOS 17.7.6, macOS Sequoia 15.4, tvOS 18.4 and watchOS 11.4. CPE data also lists several Red Hat Enterprise Linux releases (RHEL 8, 9 and related extended‑support streams), indicating that WebKitGTK derivatives on those platforms may also be affected, although no explicit vendor patch level is provided.

Risk and Exploitability

The CVSS score of 7 marks this as high severity, while the EPSS score of <1% indicates a low likelihood of exploitation in the near term. The vulnerability is not listed in CISA’s KEV catalog, so no widely deployed exploit is known. The attack vector is presumably remote; an attacker may trigger the crash by delivering crafted HTML or JavaScript to a browser or WebKitGTK‑based application that processes the malicious content.

Generated by OpenCVE AI on May 9, 2026 at 15:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade all affected Apple software to the latest release (Safari 18.4 or later, iOS 18.4, iPadOS 18.4, macOS Sequoia 15.4, tvOS 18.4, watchOS 11.4)
  • Where immediate updates are not possible, limit exposure by restricting the use of untrusted web content, applying user‑level or network‑level content filtering and ensuring that WebKitGTK processes run in a sandboxed environment
  • Continuously monitor Apple security advisories and the Red Hat update channels for any further patches or mitigations, and keep all affected platforms within supported security update ranges

Generated by OpenCVE AI on May 9, 2026 at 15:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4218-1 webkit2gtk security update
Debian DSA Debian DSA DSA-5899-1 webkit2gtk security update
EUVD EUVD EUVD-2025-8989 A buffer overflow issue was addressed with improved memory handling. This issue is fixed in tvOS 18.4, Safari 18.4, iPadOS 17.7.6, iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4. Processing maliciously crafted web content may lead to an unexpected process crash.
Ubuntu USN Ubuntu USN USN-7436-1 WebKitGTK vulnerabilities
History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description A buffer overflow issue was addressed with improved memory handling. This issue is fixed in tvOS 18.4, Safari 18.4, iPadOS 17.7.6, iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4. Processing maliciously crafted web content may lead to an unexpected process crash. A buffer overflow issue was addressed with improved memory handling. This issue is fixed in Safari 18.4, iOS 18.4 and iPadOS 18.4, iPadOS 17.7.6, macOS Sequoia 15.4, tvOS 18.4, watchOS 11.4. Processing maliciously crafted web content may lead to an unexpected process crash.
References

Mon, 03 Nov 2025 21:30:00 +0000

Type Values Removed Values Added
References

Mon, 03 Nov 2025 20:30:00 +0000

Type Values Removed Values Added
References

Mon, 07 Jul 2025 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Els
CPEs cpe:/o:redhat:rhel_els:7
Vendors & Products Redhat rhel Els

Tue, 27 May 2025 15:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:rhel_aus:8.2

Thu, 22 May 2025 03:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Aus
Redhat rhel E4s
Redhat rhel Tus
CPEs cpe:/a:redhat:rhel_aus:8.4
cpe:/a:redhat:rhel_aus:8.6
cpe:/a:redhat:rhel_e4s:8.4
cpe:/a:redhat:rhel_e4s:8.6
cpe:/a:redhat:rhel_e4s:9.0
cpe:/a:redhat:rhel_tus:8.4
cpe:/a:redhat:rhel_tus:8.6
Vendors & Products Redhat rhel Aus
Redhat rhel E4s
Redhat rhel Tus

Wed, 21 May 2025 03:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat openshift Devspaces
CPEs cpe:/a:redhat:openshift_devspaces:3::el9
Vendors & Products Redhat openshift Devspaces

Mon, 05 May 2025 15:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:rhel_eus:8.8

Fri, 18 Apr 2025 03:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:enterprise_linux:8

Thu, 10 Apr 2025 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Eus
CPEs cpe:/a:redhat:rhel_eus:9.2
cpe:/a:redhat:rhel_eus:9.4
Vendors & Products Redhat rhel Eus

Wed, 09 Apr 2025 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat
Redhat enterprise Linux
CPEs cpe:/a:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux

Tue, 08 Apr 2025 02:00:00 +0000

Type Values Removed Values Added
Title webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash
References
Metrics threat_severity

None

 threat_severity

Important

Mon, 07 Apr 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple ipados
Apple iphone Os
Apple macos
Apple safari
Apple tvos
CPEs cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*
Vendors & Products Apple
Apple ipados
Apple iphone Os
Apple macos
Apple safari
Apple tvos

Tue, 01 Apr 2025 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-120
Metrics cvssV3_1

{'score': 7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 31 Mar 2025 22:45:00 +0000

Type Values Removed Values Added
Description A buffer overflow issue was addressed with improved memory handling. This issue is fixed in tvOS 18.4, Safari 18.4, iPadOS 17.7.6, iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4. Processing maliciously crafted web content may lead to an unexpected process crash.
References

Subscriptions

Apple Ipados Iphone Os Macos Safari Tvos
Redhat Enterprise Linux Openshift Devspaces Rhel Aus Rhel E4s Rhel Els Rhel Eus Rhel Tus
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:20:48.576Z

Reserved: 2025-01-17T00:00:45.001Z

Link: CVE-2025-24209

cve-icon Vulnrichment

Updated: 2025-11-03T21:08:03.597Z

cve-icon NVD

Status : Modified

Published: 2025-03-31T23:15:18.870

Modified: 2026-04-02T19:19:19.297

Link: CVE-2025-24209

cve-icon Redhat

Severity : Important

Publid Date: 2025-04-07T00:00:00Z

Links: CVE-2025-24209 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T15:15:26Z

Weaknesses