Description
The issue was addressed with improved memory handling. This issue is fixed in Safari 26.2, iOS 18.7.3 and iPadOS 18.7.3, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, visionOS 26.2. Processing maliciously crafted web content may lead to an unexpected process crash.
Published: 2025-12-17
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Process Crash (Denial of Service)
Action: Apply Patch
AI Analysis

Impact

This vulnerability originates from unsafe memory handling while parsing specially crafted web content. When the WebKit rendering engine processes such content, the renderer can crash, terminating the browser or auxiliary web process. Because the crash causes a denial‑of‑service, there is no direct avenue for code execution or privilege escalation.

Affected Systems

Affected Apple products include Safari, iOS, iPadOS, macOS, and visionOS. Versions prior to Safari 26.2, iOS 18.7.3, iPadOS 18.7.3, macOS 26.2, and visionOS 26.2 are vulnerable. The issue is fixed in the specified releases and later.

Risk and Exploitability

The CVSS score of 4.3 classifies the flaw as low severity. The EPSS score is reported as < 1 %, meaning the likelihood of exploitation is very low. The vulnerability is not listed in the CISA KEV catalog and no active exploits are documented. Based on the description, the likely attack vector involves delivering malicious web content to a user’s Safari or other WebKit‑based browsing context, so user interaction or phishing is required. Given the data, the risk is low but applying the vendor‑supplied updates is recommended.

Generated by OpenCVE AI on April 27, 2026 at 22:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Apple Safari to version 26.2 or later
  • Update iOS to version 18.7.3 or later
  • Update iPadOS to version 18.7.3 or later
  • Update macOS to version 26.2 or later
  • Update visionOS to version 26.2 or later

Generated by OpenCVE AI on April 27, 2026 at 22:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4414-1 webkit2gtk security update
Debian DSA Debian DSA DSA-6083-1 webkit2gtk security update
Ubuntu USN Ubuntu USN USN-7957-1 WebKitGTK vulnerabilities
History

Thu, 18 Dec 2025 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple iphone Os
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:visionos:*:*:*:*:*:*:*:*
Vendors & Products Apple iphone Os

Thu, 18 Dec 2025 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple ios
Apple ipados
Apple macos
Apple macos Tahoe
Apple safari
Apple visionos
Vendors & Products Apple
Apple ios
Apple ipados
Apple macos
Apple macos Tahoe
Apple safari
Apple visionos

Thu, 18 Dec 2025 00:15:00 +0000

Type Values Removed Values Added
Title webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash
Weaknesses CWE-119
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 17 Dec 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 17 Dec 2025 21:00:00 +0000

Type Values Removed Values Added
Description The issue was addressed with improved memory handling. This issue is fixed in Safari 26.2, iOS 18.7.3 and iPadOS 18.7.3, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, visionOS 26.2. Processing maliciously crafted web content may lead to an unexpected process crash.
References

Subscriptions

Apple Ios Ipados Iphone Os Macos Macos Tahoe Safari Visionos
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:23:38.768Z

Reserved: 2025-04-16T15:27:21.198Z

Link: CVE-2025-43535

cve-icon Vulnrichment

Updated: 2025-12-17T21:34:11.948Z

cve-icon NVD

Status : Analyzed

Published: 2025-12-17T21:16:12.167

Modified: 2025-12-18T19:34:56.820

Link: CVE-2025-43535

cve-icon Redhat

Severity : Important

Publid Date: 2025-12-17T00:00:00Z

Links: CVE-2025-43535 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T22:15:15Z

Weaknesses