Description
A buffer overflow issue was addressed with improved memory handling. This issue is fixed in Safari 26.2, iOS 18.7.3 and iPadOS 18.7.3, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, visionOS 26.2. Processing maliciously crafted web content may lead to an unexpected process crash.
Published: 2025-12-17
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via process crash
Action: Update browsers
AI Analysis

Impact

A classic buffer overflow flaw in WebKit GTK can cause the rendering process to crash when maliciously crafted web content is processed, leading to a denial‑of‑service impact. The weak points are identified as CWE-120 and CWE-787, indicating classic memory‑safety violations. No evidence of code execution is provided in the data, so the primary consequence is an application crash rather than a broader compromise.

Affected Systems

The issue affects Apple’s browsers and systems: Safari, iOS, iPadOS, macOS, and visionOS. Fixed releases are Safari 26.2, iOS 18.7.3/26.2, iPadOS 18.7.3/26.2, macOS 26.2, and visionOS 26.2.

Risk and Exploitability

The CVSS score of 4.3 indicates a low severity level. An EPSS of less than 1 % indicates a very low likelihood of exploitation. The flaw is not listed in the CISA KEV catalog. The inferred attack vector is the delivery of malicious web content through Safari or any WebKit‑based application; an attacker would need user interaction to open or load such content. The impact would be limited to a browser crash, resulting in temporary denial of service for the affected user.

Generated by OpenCVE AI on April 27, 2026 at 22:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Safari, iOS, iPadOS, macOS, and visionOS updates that contain the buffer‑overflow fix (Safari 26.2, iOS 18.7.3/26.2, iPadOS 18.7.3/26.2, macOS 26.2, visionOS 26.2).
  • Enable automatic system and application updates so that any future fixes are applied promptly.
  • If an immediate update is not possible, use network filtering or web‑content policies to block or scrutinize suspicious pages until the patch can be applied.

Generated by OpenCVE AI on April 27, 2026 at 22:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4414-1 webkit2gtk security update
Debian DSA Debian DSA DSA-6083-1 webkit2gtk security update
Ubuntu USN Ubuntu USN USN-7957-1 WebKitGTK vulnerabilities
History

Wed, 07 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 18 Dec 2025 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple iphone Os
Weaknesses CWE-787
CPEs cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:visionos:*:*:*:*:*:*:*:*
Vendors & Products Apple iphone Os

Thu, 18 Dec 2025 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple ios
Apple ipados
Apple macos
Apple macos Tahoe
Apple safari
Apple visionos
Webkitgtk
Webkitgtk webkitgtk
Vendors & Products Apple
Apple ios
Apple ipados
Apple macos
Apple macos Tahoe
Apple safari
Apple visionos
Webkitgtk
Webkitgtk webkitgtk

Thu, 18 Dec 2025 00:15:00 +0000

Type Values Removed Values Added
Title webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash
Weaknesses CWE-120
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 17 Dec 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 17 Dec 2025 21:00:00 +0000

Type Values Removed Values Added
Description A buffer overflow issue was addressed with improved memory handling. This issue is fixed in Safari 26.2, iOS 18.7.3 and iPadOS 18.7.3, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, visionOS 26.2. Processing maliciously crafted web content may lead to an unexpected process crash.
References

Subscriptions

Apple Ios Ipados Iphone Os Macos Macos Tahoe Safari Visionos
Webkitgtk Webkitgtk
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:09:14.942Z

Reserved: 2025-04-16T15:27:21.192Z

Link: CVE-2025-43501

cve-icon Vulnrichment

Updated: 2025-12-17T21:08:16.531Z

cve-icon NVD

Status : Modified

Published: 2025-12-17T21:16:09.043

Modified: 2026-01-07T16:15:50.180

Link: CVE-2025-43501

cve-icon Redhat

Severity : Important

Publid Date: 2025-12-17T00:00:00Z

Links: CVE-2025-43501 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T22:15:15Z

Weaknesses