Description
A type confusion issue was addressed with improved state handling. This issue is fixed in Safari 26.2, iOS 18.7.3 and iPadOS 18.7.3, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, visionOS 26.2. Processing maliciously crafted web content may lead to an unexpected Safari crash.
Published: 2025-12-17
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Application crash leading to denial of service
Action: Patch
AI Analysis

Impact

A type confusion flaw in WebKitGTK’s state handling caused Safari to crash when rendering maliciously crafted web content. The resulting crash leads to a denial‑of‑service condition for the affected user, but does not provide code execution or data exfiltration capabilities.

Affected Systems

The vulnerability affects Apple’s Safari browser on macOS, iOS 18.7.3, iOS 26.2, iPadOS 18.7.3, iPadOS 26.2, macOS Tahoe 26.2, and visionOS 26.2. Updating to the specified patched versions removes the issue.

Risk and Exploitability

With a CVSS score of 4.3 and an EPSS below 1%, the threat is low and unlikely to be actively exploited. The issue is not listed in the CISA KEV catalog. Attackers would need to deliver malicious web content to a user’s browser, so the vector is web‐based and the likelihood of successful exploitation is minimal under normal conditions.

Generated by OpenCVE AI on April 22, 2026 at 20:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Safari, iOS, iPadOS, macOS, and visionOS to the latest public releases that include the 26.2 patch for Safari, 18.7.3/26.2 for iOS/iPadOS, and 26.2 for macOS and visionOS.
  • Enable browser security features such as Content Security Policy and script blocking to limit the effect of malformed web content.
  • If a swift update is unavailable, restrict access to untrusted or high‑risk websites through enterprise web filtering or by configuring trusted site lists to reduce exposure to malicious content.

Generated by OpenCVE AI on April 22, 2026 at 20:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4414-1 webkit2gtk security update
Debian DSA Debian DSA DSA-6083-1 webkit2gtk security update
Ubuntu USN Ubuntu USN USN-7957-1 WebKitGTK vulnerabilities
History

Thu, 18 Dec 2025 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Apple ipados
Apple iphone Os
CPEs cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:visionos:*:*:*:*:*:*:*:*
Vendors & Products Apple ipados
Apple iphone Os

Thu, 18 Dec 2025 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple ios
Apple ipad Os
Apple macos
Apple macos Tahoe
Apple safari
Apple visionos
Vendors & Products Apple
Apple ios
Apple ipad Os
Apple macos
Apple macos Tahoe
Apple safari
Apple visionos

Thu, 18 Dec 2025 00:15:00 +0000

Type Values Removed Values Added
Title webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 17 Dec 2025 21:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-843
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 17 Dec 2025 21:00:00 +0000

Type Values Removed Values Added
Description A type confusion issue was addressed with improved state handling. This issue is fixed in Safari 26.2, iOS 18.7.3 and iPadOS 18.7.3, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, visionOS 26.2. Processing maliciously crafted web content may lead to an unexpected Safari crash.
References

Subscriptions

Apple Ios Ipad Os Ipados Iphone Os Macos Macos Tahoe Safari Visionos
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:09:40.186Z

Reserved: 2025-04-16T15:27:21.198Z

Link: CVE-2025-43541

cve-icon Vulnrichment

Updated: 2025-12-17T21:09:04.620Z

cve-icon NVD

Status : Analyzed

Published: 2025-12-17T21:16:12.680

Modified: 2025-12-18T19:06:51.230

Link: CVE-2025-43541

cve-icon Redhat

Severity : Important

Publid Date: 2025-12-17T00:00:00Z

Links: CVE-2025-43541 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T20:30:26Z

Weaknesses