Description
The issue was addressed with improved memory handling. This issue is fixed in Safari 18.5, iOS 18.5 and iPadOS 18.5, macOS Sequoia 15.5, tvOS 18.5, visionOS 2.5, watchOS 11.5. Processing maliciously crafted web content may lead to memory corruption.
Published: 2025-05-12
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote code execution via memory corruption
Action: Immediate Patch
AI Analysis

Impact

The vulnerability resides in WebKitGTK’s handling of malformed web content, which can corrupt memory. A crafted payload may overwrite critical memory regions, potentially enabling an attacker to execute arbitrary code, gain unauthorized privileges, or crash the browser. This memory‑corruption flaw falls under buffer overrun, out‑of‑bounds read and write weaknesses (CWE‑119, CWE‑125, CWE‑787).

Affected Systems

Apple Safari, iOS, iPadOS, macOS Sequoia, tvOS, visionOS, and watchOS are known to be affected. The fix is deployed in Safari 18.5, iOS 18.5, iPadOS 18.5, macOS Sequoia 15.5, tvOS 18.5, visionOS 2.5, and watchOS 11.5 or later. RedHat Enterprise Linux distributions that ship the unpatched WebKitGTK package are also listed in the CPE set, but the primary impact is on Apple platforms.

Risk and Exploitability

The CVSS score of 8.8 indicates a high‑severity flaw with a significant impact. The EPSS score of less than 1% implies a low probability of exploitation at this time, and the listing is not present in CISA’s KEV catalog. Attackers would leverage a remotely served webpage to trigger the bug; no local privileges or special preconditions are required beyond access to a vulnerable client. The memory corruption could lead to arbitrary code execution or denial of service, making the flaw a critical risk for end users.

Generated by OpenCVE AI on April 28, 2026 at 01:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Safari 18.5, iOS 18.5, iPadOS 18.5, macOS Sequoia 15.5, tvOS 18.5, visionOS 2.5, or watchOS 11.5 and later on all Apple devices.
  • On RedHat‑based Linux systems, install the latest WebKitGTK package that includes the security fix – consult the referenced advisories for specific version numbers.
  • If an immediate update is not possible, block untrusted web content using a content filter or enforce stricter sandboxing policies within WebKitGTK to limit memory exposure.

Generated by OpenCVE AI on April 28, 2026 at 01:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4218-1 webkit2gtk security update
Debian DSA Debian DSA DSA-5937-1 webkit2gtk security update
EUVD EUVD EUVD-2025-14630 The issue was addressed with improved memory handling. This issue is fixed in watchOS 11.5, tvOS 18.5, iOS 18.5 and iPadOS 18.5, macOS Sequoia 15.5, visionOS 2.5, Safari 18.5. Processing maliciously crafted web content may lead to memory corruption.
Ubuntu USN Ubuntu USN USN-7566-1 WebKitGTK vulnerabilities
History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description The issue was addressed with improved memory handling. This issue is fixed in watchOS 11.5, tvOS 18.5, iOS 18.5 and iPadOS 18.5, macOS Sequoia 15.5, visionOS 2.5, Safari 18.5. Processing maliciously crafted web content may lead to memory corruption. The issue was addressed with improved memory handling. This issue is fixed in Safari 18.5, iOS 18.5 and iPadOS 18.5, macOS Sequoia 15.5, tvOS 18.5, visionOS 2.5, watchOS 11.5. Processing maliciously crafted web content may lead to memory corruption.

Mon, 03 Nov 2025 20:30:00 +0000

Type Values Removed Values Added
References

Mon, 07 Jul 2025 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Els
CPEs cpe:/o:redhat:rhel_els:7
Vendors & Products Redhat rhel Els

Tue, 27 May 2025 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple ipados
Apple iphone Os
Apple macos
Apple safari
Apple tvos
Apple visionos
Apple watchos
CPEs cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:visionos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:*
Vendors & Products Apple
Apple ipados
Apple iphone Os
Apple macos
Apple safari
Apple tvos
Apple visionos
Apple watchos

Fri, 16 May 2025 02:30:00 +0000

Type Values Removed Values Added
Title webkitgtk: Processing maliciously crafted web content may lead to memory corruption
First Time appeared Redhat
Redhat enterprise Linux
Redhat rhel Aus
Redhat rhel E4s
Redhat rhel Tus
Weaknesses CWE-125
CWE-787
CPEs cpe:/a:redhat:enterprise_linux:8
cpe:/a:redhat:enterprise_linux:9
cpe:/a:redhat:rhel_aus:8.2
cpe:/a:redhat:rhel_aus:8.4
cpe:/a:redhat:rhel_aus:8.6
cpe:/a:redhat:rhel_e4s:8.4
cpe:/a:redhat:rhel_e4s:8.6
cpe:/a:redhat:rhel_e4s:9.0
cpe:/a:redhat:rhel_tus:8.4
cpe:/a:redhat:rhel_tus:8.6
Vendors & Products Redhat
Redhat enterprise Linux
Redhat rhel Aus
Redhat rhel E4s
Redhat rhel Tus
References
Metrics threat_severity

None

 threat_severity

Important

Tue, 13 May 2025 21:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 12 May 2025 21:45:00 +0000

Type Values Removed Values Added
Description The issue was addressed with improved memory handling. This issue is fixed in watchOS 11.5, tvOS 18.5, iOS 18.5 and iPadOS 18.5, macOS Sequoia 15.5, visionOS 2.5, Safari 18.5. Processing maliciously crafted web content may lead to memory corruption.
References

Subscriptions

Apple Ipados Iphone Os Macos Safari Tvos Visionos Watchos
Redhat Enterprise Linux Rhel Aus Rhel E4s Rhel Els Rhel Tus
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:17:14.521Z

Reserved: 2025-03-27T16:13:58.315Z

Link: CVE-2025-31204

cve-icon Vulnrichment

Updated: 2025-05-13T20:16:50.330Z

cve-icon NVD

Status : Modified

Published: 2025-05-12T22:15:21.537

Modified: 2026-04-02T19:19:47.127

Link: CVE-2025-31204

cve-icon Redhat

Severity : Important

Publid Date: 2025-05-15T00:00:00Z

Links: CVE-2025-31204 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T02:00:15Z

Weaknesses