Description
The issue was addressed with improved memory handling. This issue is fixed in Safari 26.1, iOS 18.7.2 and iPadOS 18.7.2, iOS 26.1 and iPadOS 26.1, macOS Tahoe 26.1, tvOS 26.1, visionOS 26.1, watchOS 26.1. Processing maliciously crafted web content may lead to memory corruption.
Published: 2025-11-04
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Memory Corruption
Action: Patch Immediately
AI Analysis

Impact

Processing maliciously crafted web content may lead to memory corruption. The flaw arises from insufficient bounds checking in WebKitGTK’s memory handling routine, exposing buffer overread, overflow, and arbitrary memory write weaknesses (CWE‑119, CWE‑120, CWE‑787). An attacker who can supply specially crafted web pages or scripts to the affected browser or embedded webview may trigger this corruption, potentially allowing code execution, data manipulation, or denial of service.

Affected Systems

In Apple products, all versions of Safari, iOS, iPadOS, macOS, tvOS, visionOS, and watchOS running prior to the security fixes delivered in Safari 26.1, iOS 18.7.2, iPadOS 18.7.2, iOS 26.1, iPadOS 26.1, macOS Tahoe 26.1, tvOS 26.1, visionOS 26.1, and watchOS 26.1 are impacted. In Red Hat Enterprise Linux, all active RHEL 8.x and RHEL 9.x releases—including RHEL 8.2, 8.4, 8.6, 8.8, 9.0, 9.2, 9.4, 9.6, and the various extended‑life and future‑support streams—contain the vulnerable WebKitGTK component as identified by the listed CPEs.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, while the EPSS score of less than 1% suggests the likelihood of real‑world exploitation is low. The flaw is not listed in CISA KEV, implying no published exploit. The most probable attack vector involves an attacker delivering malicious web content through a compromised website, phishing email, or embedded webview in an application. Because the bug causes memory corruption, successful exploitation could lead to arbitrary code execution, compromising user data and system integrity.

Generated by OpenCVE AI on April 22, 2026 at 21:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Apple software update that contains Safari 26.1, iOS 18.7.2 / iPadOS 18.7.2, iOS 26.1 / iPadOS 26.1, macOS Tahoe 26.1, tvOS 26.1, visionOS 26.1, and watchOS 26.1 or later to receive the memory‑handling fix.
  • For Red Hat Enterprise Linux hosts, install the latest security updates that replace the vulnerable WebKitGTK package; use the system’s package manager or consult Red Hat errata advisories for the patch.
  • Until patches are available, limit exposure by disabling or restricting WebKitGTK‑based browsers or webviews, or enforce strict network filtering to block potentially malicious web content from untrusted sources.

Generated by OpenCVE AI on April 22, 2026 at 21:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description The issue was addressed with improved memory handling. This issue is fixed in tvOS 26.1, watchOS 26.1, macOS Tahoe 26.1, iOS 26.1 and iPadOS 26.1, Safari 26.1, iOS 18.7.2 and iPadOS 18.7.2, visionOS 26.1. Processing maliciously crafted web content may lead to memory corruption. The issue was addressed with improved memory handling. This issue is fixed in Safari 26.1, iOS 18.7.2 and iPadOS 18.7.2, iOS 26.1 and iPadOS 26.1, macOS Tahoe 26.1, tvOS 26.1, visionOS 26.1, watchOS 26.1. Processing maliciously crafted web content may lead to memory corruption.

Fri, 20 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Title webkitgtk: Processing maliciously crafted web content may lead to memory corruption
First Time appeared Redhat
Redhat enterprise Linux
Redhat rhel Aus
Redhat rhel E4s
Redhat rhel Els
Redhat rhel Eus
Redhat rhel Eus Long Life
Redhat rhel Tus
Weaknesses CWE-120
CPEs cpe:/a:redhat:enterprise_linux:8
cpe:/a:redhat:enterprise_linux:9
cpe:/a:redhat:rhel_aus:8.2
cpe:/a:redhat:rhel_aus:8.4
cpe:/a:redhat:rhel_aus:8.6
cpe:/a:redhat:rhel_e4s:8.6
cpe:/a:redhat:rhel_e4s:8.8
cpe:/a:redhat:rhel_e4s:9.0
cpe:/a:redhat:rhel_e4s:9.2
cpe:/a:redhat:rhel_eus:9.4
cpe:/a:redhat:rhel_eus:9.6
cpe:/a:redhat:rhel_eus_long_life:8.4
cpe:/a:redhat:rhel_tus:8.6
cpe:/a:redhat:rhel_tus:8.8
cpe:/o:redhat:rhel_els:7
Vendors & Products Redhat
Redhat enterprise Linux
Redhat rhel Aus
Redhat rhel E4s
Redhat rhel Els
Redhat rhel Eus
Redhat rhel Eus Long Life
Redhat rhel Tus
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 17 Dec 2025 21:00:00 +0000

Type Values Removed Values Added
Description The issue was addressed with improved memory handling. This issue is fixed in iOS 18.7.2 and iPadOS 18.7.2. Processing maliciously crafted web content may lead to memory corruption. The issue was addressed with improved memory handling. This issue is fixed in tvOS 26.1, watchOS 26.1, macOS Tahoe 26.1, iOS 26.1 and iPadOS 26.1, Safari 26.1, iOS 18.7.2 and iPadOS 18.7.2, visionOS 26.1. Processing maliciously crafted web content may lead to memory corruption.
References

Mon, 01 Dec 2025 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119

Wed, 05 Nov 2025 19:30:00 +0000

Type Values Removed Values Added
References

Wed, 05 Nov 2025 18:45:00 +0000

Type Values Removed Values Added
Description The issue was addressed with improved memory handling. This issue is fixed in Safari 26.1, visionOS 26.1, watchOS 26.1, iOS 26.1 and iPadOS 26.1, tvOS 26.1. Processing maliciously crafted web content may lead to memory corruption. The issue was addressed with improved memory handling. This issue is fixed in iOS 18.7.2 and iPadOS 18.7.2. Processing maliciously crafted web content may lead to memory corruption.
References

Wed, 05 Nov 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple iphone Os
Weaknesses CWE-787
CPEs cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:visionos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:*
Vendors & Products Apple iphone Os

Tue, 04 Nov 2025 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple ios
Apple ipados
Apple safari
Apple tvos
Apple visionos
Apple watchos
Vendors & Products Apple
Apple ios
Apple ipados
Apple safari
Apple tvos
Apple visionos
Apple watchos

Tue, 04 Nov 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 04 Nov 2025 01:45:00 +0000

Type Values Removed Values Added
Description The issue was addressed with improved memory handling. This issue is fixed in Safari 26.1, visionOS 26.1, watchOS 26.1, iOS 26.1 and iPadOS 26.1, tvOS 26.1. Processing maliciously crafted web content may lead to memory corruption.
References

Subscriptions

Apple Ios Ipados Iphone Os Safari Tvos Visionos Watchos
Redhat Enterprise Linux Rhel Aus Rhel E4s Rhel Els Rhel Eus Rhel Eus Long Life Rhel Tus
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:07:30.657Z

Reserved: 2025-04-16T15:24:37.124Z

Link: CVE-2025-43433

cve-icon Vulnrichment

Updated: 2025-11-04T13:56:19.895Z

cve-icon NVD

Status : Modified

Published: 2025-11-04T02:15:49.160

Modified: 2026-04-02T19:20:45.903

Link: CVE-2025-43433

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-18T00:00:00Z

Links: CVE-2025-43433 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T22:00:18Z

Weaknesses