Description
A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 18.4, iOS 18.4 and iPadOS 18.4, iPadOS 17.7.6, macOS Sequoia 15.4, tvOS 18.4, visionOS 2.4, watchOS 11.4. Processing maliciously crafted web content may lead to an unexpected Safari crash.
Published: 2025-03-31
Score: 4.3 Medium
EPSS: 1.1% Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

A use‑after‑free vulnerability in WebKitGTK is triggered when Safari processes maliciously crafted web content, causing the browser to crash. The flaw arises from improper memory management during page parsing, which can destabilize the rendering engine and result in a denial‑of‑service for the user. The issue affects all components that embed WebKitGTK, including Safari on Apple devices.

Affected Systems

The vulnerability impacts Apple Safari and related WebKitGTK implementations on macOS Sequoia 15.4, iOS 18.4, iPadOS 18.4 (and iPadOS 17.7.6), tvOS 18.4, visionOS 2.4, watchOS 11.4, and any system running Safari versions prior to 18.4. Additionally, Red Hat Enterprise Linux 8 and 9 packages containing WebKitGTK are affected, as indicated by the CPE entries for RHEL 8, RHEL 9, and various extended update support branches.

Risk and Exploitability

The CVSS score of 4.3 reflects a low‑to‑moderate severity, while the EPSS score of 1 % indicates a rare exploitation rate. The vulnerability is not listed in the CISA KEV catalog. Exploitation is inferred to occur via malicious web content rendered in Safari or any WebKitGTK‑based browser; an attacker could embed specially crafted HTML or JavaScript to trigger the crash, resulting in a denial of service for the targeted user rather than code execution.

Generated by OpenCVE AI on April 28, 2026 at 02:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest security update for Safari that includes the WebKitGTK patch (version 18.4 or newer).
  • Update iOS, iPadOS, macOS, tvOS, visionOS, and watchOS to the latest releases that contain the fix (e.g., iOS 18.4, iPadOS 18.4, macOS Sequoia 15.4, tvOS 18.4, visionOS 2.4, watchOS 11.4).
  • For Red Hat Enterprise Linux users, upgrade WebKitGTK packages to a version that includes the fix or install the latest RHEL packages that incorporate the patch.

Generated by OpenCVE AI on April 28, 2026 at 02:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4218-1 webkit2gtk security update
Debian DSA Debian DSA DSA-5899-1 webkit2gtk security update
EUVD EUVD EUVD-2025-8932 A use-after-free issue was addressed with improved memory management. This issue is fixed in visionOS 2.4, tvOS 18.4, iPadOS 17.7.6, iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4, Safari 18.4. Processing maliciously crafted web content may lead to an unexpected Safari crash.
Ubuntu USN Ubuntu USN USN-7436-1 WebKitGTK vulnerabilities
History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description A use-after-free issue was addressed with improved memory management. This issue is fixed in visionOS 2.4, tvOS 18.4, iPadOS 17.7.6, iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4, Safari 18.4. Processing maliciously crafted web content may lead to an unexpected Safari crash. A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 18.4, iOS 18.4 and iPadOS 18.4, iPadOS 17.7.6, macOS Sequoia 15.4, tvOS 18.4, visionOS 2.4, watchOS 11.4. Processing maliciously crafted web content may lead to an unexpected Safari crash.
References

Mon, 03 Nov 2025 22:30:00 +0000

Type Values Removed Values Added
References

Mon, 03 Nov 2025 20:30:00 +0000

Type Values Removed Values Added
References

Mon, 07 Jul 2025 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Els
CPEs cpe:/o:redhat:rhel_els:7
Vendors & Products Redhat rhel Els

Tue, 27 May 2025 15:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:rhel_aus:8.2

Thu, 22 May 2025 03:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Aus
Redhat rhel E4s
Redhat rhel Tus
CPEs cpe:/a:redhat:rhel_aus:8.4
cpe:/a:redhat:rhel_aus:8.6
cpe:/a:redhat:rhel_e4s:8.4
cpe:/a:redhat:rhel_e4s:8.6
cpe:/a:redhat:rhel_e4s:9.0
cpe:/a:redhat:rhel_tus:8.4
cpe:/a:redhat:rhel_tus:8.6
Vendors & Products Redhat rhel Aus
Redhat rhel E4s
Redhat rhel Tus

Wed, 21 May 2025 03:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat openshift Devspaces
CPEs cpe:/a:redhat:openshift_devspaces:3::el9
Vendors & Products Redhat openshift Devspaces

Mon, 05 May 2025 15:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:rhel_eus:8.8

Fri, 18 Apr 2025 03:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:enterprise_linux:8

Thu, 10 Apr 2025 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Eus
CPEs cpe:/a:redhat:rhel_eus:9.2
cpe:/a:redhat:rhel_eus:9.4
Vendors & Products Redhat rhel Eus

Wed, 09 Apr 2025 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat
Redhat enterprise Linux
CPEs cpe:/a:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux

Tue, 08 Apr 2025 02:00:00 +0000

Type Values Removed Values Added
Title webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash
References
Metrics threat_severity

None

 threat_severity

Important

Mon, 07 Apr 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple ipados
Apple iphone Os
Apple macos
Apple safari
Apple tvos
Apple visionos
CPEs cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:visionos:*:*:*:*:*:*:*:*
Vendors & Products Apple
Apple ipados
Apple iphone Os
Apple macos
Apple safari
Apple tvos
Apple visionos

Tue, 01 Apr 2025 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 01 Apr 2025 13:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Tue, 01 Apr 2025 04:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 31 Mar 2025 22:45:00 +0000

Type Values Removed Values Added
Description A use-after-free issue was addressed with improved memory management. This issue is fixed in visionOS 2.4, tvOS 18.4, iPadOS 17.7.6, iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4, Safari 18.4. Processing maliciously crafted web content may lead to an unexpected Safari crash.
References

Subscriptions

Apple Ipados Iphone Os Macos Safari Tvos Visionos
Redhat Enterprise Linux Openshift Devspaces Rhel Aus Rhel E4s Rhel Els Rhel Eus Rhel Tus
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:26:48.583Z

Reserved: 2025-03-22T00:04:43.716Z

Link: CVE-2025-30427

cve-icon Vulnrichment

Updated: 2025-11-03T21:13:55.087Z

cve-icon NVD

Status : Modified

Published: 2025-03-31T23:15:25.037

Modified: 2026-04-02T19:19:34.387

Link: CVE-2025-30427

cve-icon Redhat

Severity : Important

Publid Date: 2025-04-07T00:00:00Z

Links: CVE-2025-30427 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T02:30:18Z

Weaknesses