Description
The issue was addressed with improved memory handling. This issue is fixed in Safari 26, iOS 26 and iPadOS 26, macOS Tahoe 26, tvOS 26, visionOS 26, watchOS 26. Processing maliciously crafted web content may lead to an unexpected process crash.
Published: 2025-09-15
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service (unexpected process crash)
Action: Immediate Patch
AI Analysis

Impact

A memory handling flaw in WebKit can be triggered by maliciously crafted web content, causing the rendering process to crash. The vulnerability is classified as CWE-119 and is scored highly on CVSS (9.8), indicating a severe problem that can result in a denial of service to users viewing affected content. Because the bug only causes a crash rather than arbitrary code execution, the direct impact is interruption of service and potential loss of session state, but it does not expose data or privileges beyond the user of the affected application.

Affected Systems

The flaw affects Apple’s WebKit‑based platforms, including Safari, iOS, iPadOS, macOS, tvOS, visionOS and watchOS. It also applies to open‑source variants such as webkitgtk and wpe_webkit. Apple releases a patch in version 26 of each of the major products (Safari 26, iOS 26, iPadOS 26, macOS 26, tvOS 26, visionOS 26 and watchOS 26), which contains the improved memory handling. Earlier releases lacking these fixes remain vulnerable.

Risk and Exploitability

The CVSS score of 9.8 signals a critical severity, while the EPSS score of less than 1% indicates that, so far, exploitation attempts are extremely rare. The vulnerability is not listed in CISA’s KEV catalog, suggesting no known active exploitation in the wild. Attackers can trigger the crash by delivering specially crafted web pages that exploit the unsafe memory usage in the rendering engine, typically via a normal web‑browser session. Infected browsers would terminate the WebKit process, effectively causing a denial‑of‑service condition for the user or client application.

Generated by OpenCVE AI on April 27, 2026 at 23:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Apple software updates that include the WebKit patch (Safari 26, iOS 26, iPadOS 26, macOS 26, tvOS 26, visionOS 26 and watchOS 26).
  • If you use webkitgtk or wpe_webkit in your environment, upgrade to the most recent build that contains the memory‑handling fix, such as the release referenced in the WebKit security advisory WSA‑2025‑0007.
  • As a temporary measure, restrict or sandbox untrusted web content—e.g., disable JavaScript in untrusted contexts or employ a content‑filtering proxy—until the official patch is applied.

Generated by OpenCVE AI on April 27, 2026 at 23:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4375-1 webkit2gtk security update
Debian DSA Debian DSA DSA-6042-1 webkit2gtk security update
EUVD EUVD EUVD-2025-29294 The issue was addressed with improved memory handling. This issue is fixed in tvOS 26, Safari 26, visionOS 26, watchOS 26, macOS Tahoe 26, iOS 26 and iPadOS 26. Processing maliciously crafted web content may lead to an unexpected process crash.
Ubuntu USN Ubuntu USN USN-7895-1 WebKitGTK vulnerabilities
History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description The issue was addressed with improved memory handling. This issue is fixed in Safari 26, tvOS 26, watchOS 26, iOS 26 and iPadOS 26, visionOS 26. Processing maliciously crafted web content may lead to an unexpected process crash. The issue was addressed with improved memory handling. This issue is fixed in Safari 26, iOS 26 and iPadOS 26, macOS Tahoe 26, tvOS 26, visionOS 26, watchOS 26. Processing maliciously crafted web content may lead to an unexpected process crash.
References

Tue, 16 Dec 2025 18:30:00 +0000

Type Values Removed Values Added
References

Thu, 20 Nov 2025 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Webkitgtk
Webkitgtk webkitgtk
Wpewebkit
Wpewebkit wpe Webkit
CPEs cpe:2.3:a:webkitgtk:webkitgtk:*:*:*:*:*:*:*:*
cpe:2.3:a:wpewebkit:wpe_webkit:*:*:*:*:*:*:*:*
Vendors & Products Webkitgtk
Webkitgtk webkitgtk
Wpewebkit
Wpewebkit wpe Webkit

Tue, 04 Nov 2025 22:30:00 +0000

Type Values Removed Values Added
References

Tue, 04 Nov 2025 02:30:00 +0000

Type Values Removed Values Added
References

Tue, 04 Nov 2025 01:45:00 +0000

Type Values Removed Values Added
Description The issue was addressed with improved memory handling. This issue is fixed in tvOS 26, Safari 26, visionOS 26, watchOS 26, macOS Tahoe 26, iOS 26 and iPadOS 26. Processing maliciously crafted web content may lead to an unexpected process crash. The issue was addressed with improved memory handling. This issue is fixed in Safari 26, tvOS 26, watchOS 26, iOS 26 and iPadOS 26, visionOS 26. Processing maliciously crafted web content may lead to an unexpected process crash.

Mon, 03 Nov 2025 19:30:00 +0000

Type Values Removed Values Added
References

Tue, 14 Oct 2025 12:15:00 +0000

Type Values Removed Values Added
Title webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 17 Sep 2025 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Apple iphone Os
CPEs cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:visionos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:*
Vendors & Products Apple iphone Os

Wed, 17 Sep 2025 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple ios
Apple ipados
Apple macos
Apple safari
Apple tvos
Apple visionos
Apple watchos
Vendors & Products Apple
Apple ios
Apple ipados
Apple macos
Apple safari
Apple tvos
Apple visionos
Apple watchos

Tue, 16 Sep 2025 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 15 Sep 2025 22:45:00 +0000

Type Values Removed Values Added
Description The issue was addressed with improved memory handling. This issue is fixed in tvOS 26, Safari 26, visionOS 26, watchOS 26, macOS Tahoe 26, iOS 26 and iPadOS 26. Processing maliciously crafted web content may lead to an unexpected process crash.
References

Subscriptions

Apple Ios Ipados Iphone Os Macos Safari Tvos Visionos Watchos
Webkitgtk Webkitgtk
Wpewebkit Wpe Webkit
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:21:37.147Z

Reserved: 2025-04-16T15:24:37.110Z

Link: CVE-2025-43343

cve-icon Vulnrichment

Updated: 2025-12-17T14:48:14.043Z

cve-icon NVD

Status : Modified

Published: 2025-09-15T23:15:36.603

Modified: 2026-04-02T19:20:30.460

Link: CVE-2025-43343

cve-icon Redhat

Severity : Important

Publid Date: 2025-10-13T00:00:00Z

Links: CVE-2025-43343 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T00:00:18Z

Weaknesses