Description
A race condition was addressed with improved state handling. This issue is fixed in Safari 26.2, iOS 18.7.3 and iPadOS 18.7.3, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, tvOS 26.2, visionOS 26.2, watchOS 26.2. Processing maliciously crafted web content may lead to an unexpected process crash.
Published: 2025-12-17
Score: 3.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via Process Crash
Action: Apply Update
AI Analysis

Impact

A race condition in WebKitGTK’s handling of web content can cause the rendering process to crash when the browser is fed maliciously crafted data. The crash results in a denial of service that affects the availability of the affected application or system, but it does not directly compromise confidentiality or integrity. The weakness is categorized as a concurrency error (CWE-362).

Affected Systems

Apple’s Safari browser and the underlying WebKitGTK engine on macOS, iOS, iPadOS, tvOS, visionOS, and watchOS are affected. The issue was fixed in Safari 26.2, iOS 18.7.3 and iPadOS 18.7.3, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, tvOS 26.2, visionOS 26.2, and watchOS 26.2. Systems running any earlier version of these products are vulnerable.

Risk and Exploitability

The CVSS score of 3.1 denotes a low overall severity, and the EPSS score of less than 1% indicates a very low expected exploitation probability. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be remote and content‑based; an attacker can supply malicious content to a user’s browser to trigger the crash. Because the flaw does not grant code execution or persistence, the risk is limited to disrupting availability of the affected processes. Nonetheless, applying the vendor’s patch remains the recommended countermeasure.

Generated by OpenCVE AI on April 22, 2026 at 20:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Safari, iOS, iPadOS, macOS, tvOS, visionOS, and watchOS to the latest available version that includes the WebKitGTK fix (e.g., Safari 26.2 or newer).
  • Until the update is applied, employ browser‑level restrictions such as disabling JavaScript for untrusted sites or using a sandboxed content‑filtering extension to reduce the ability of malicious content to be processed.
  • Regularly check Apple’s security advisories and perform system updates via Settings > General > Software Update so future fixes and broader system hardening are received promptly.

Generated by OpenCVE AI on April 22, 2026 at 20:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4414-1 webkit2gtk security update
Debian DSA Debian DSA DSA-6083-1 webkit2gtk security update
Ubuntu USN Ubuntu USN USN-7957-1 WebKitGTK vulnerabilities
History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description A race condition was addressed with improved state handling. This issue is fixed in watchOS 26.2, Safari 26.2, iOS 18.7.3 and iPadOS 18.7.3, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, visionOS 26.2, tvOS 26.2. Processing maliciously crafted web content may lead to an unexpected process crash. A race condition was addressed with improved state handling. This issue is fixed in Safari 26.2, iOS 18.7.3 and iPadOS 18.7.3, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, tvOS 26.2, visionOS 26.2, watchOS 26.2. Processing maliciously crafted web content may lead to an unexpected process crash.

Thu, 18 Dec 2025 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple iphone Os
CPEs cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:visionos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:*
Vendors & Products Apple iphone Os

Thu, 18 Dec 2025 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple ios
Apple ipados
Apple macos
Apple macos Tahoe
Apple safari
Apple tvos
Apple visionos
Apple watchos
Vendors & Products Apple
Apple ios
Apple ipados
Apple macos
Apple macos Tahoe
Apple safari
Apple tvos
Apple visionos
Apple watchos

Thu, 18 Dec 2025 00:15:00 +0000

Type Values Removed Values Added
Title webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash
Weaknesses CWE-362
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 17 Dec 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 17 Dec 2025 21:00:00 +0000

Type Values Removed Values Added
Description A race condition was addressed with improved state handling. This issue is fixed in watchOS 26.2, Safari 26.2, iOS 18.7.3 and iPadOS 18.7.3, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, visionOS 26.2, tvOS 26.2. Processing maliciously crafted web content may lead to an unexpected process crash.
References

Subscriptions

Apple Ios Ipados Iphone Os Macos Macos Tahoe Safari Tvos Visionos Watchos
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:13:55.030Z

Reserved: 2025-04-16T15:27:21.197Z

Link: CVE-2025-43531

cve-icon Vulnrichment

Updated: 2025-12-17T21:10:15.855Z

cve-icon NVD

Status : Modified

Published: 2025-12-17T21:16:11.823

Modified: 2026-04-02T19:21:00.413

Link: CVE-2025-43531

cve-icon Redhat

Severity : Important

Publid Date: 2025-12-17T00:00:00Z

Links: CVE-2025-43531 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T20:30:26Z

Weaknesses