Description
A memory initialization issue was addressed with improved memory handling. This issue is fixed in Safari 26.2, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, tvOS 26.2, visionOS 26.2, watchOS 26.2. Processing maliciously crafted web content may disclose internal states of the app.
Published: 2026-01-09
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Update Software
AI Analysis

Impact

This vulnerability originates from a memory initialization issue that was improved in newer firmware. Processing carefully crafted web content may disclose internal states of the application. The flaw allows an attacker to glean sensitive information such as application state or cached data through crafted web pages. It is a combination of broken access control and improper memory handling, classified as CWE-284 and CWE-909.

Affected Systems

The flaw affects Apple’s Safari browser and the WebKit engine across all Apple platforms – iOS, iPadOS, macOS, tvOS, visionOS, and watchOS. Versions prior to 26.2 in each of these products are vulnerable; the issue has been fixed in Safari 26.2, iOS 26.2, iPadOS 26.2, macOS Tahoe 26.2, tvOS 26.2, visionOS 26.2, and watchOS 26.2.

Risk and Exploitability

The CVSS score is 4.3, indicating moderate severity. The EPSS score is less than 1 %, meaning the probability of exploitation in the wild is low. The issue is not listed in the CISA KEV catalog. Exploitation requires the victim to load maliciously crafted web content, likely via a website or a phishing email, so social engineering is a plausible vector. Once accessed, an attacker can read internal state data, potentially facilitating further attacks or profiling.

Generated by OpenCVE AI on April 22, 2026 at 20:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade all Apple software to version 26.2 or later, including Safari, iOS, iPadOS, macOS, tvOS, visionOS, and watchOS.
  • If an upgrade is not immediately possible, disable or block the execution of untrusted web content via browser security settings or enterprise device management.
  • Consider restricting the use of WebKitGTK on untrusted networks or sandboxing applications that render web content.

Generated by OpenCVE AI on April 22, 2026 at 20:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6232-1 webkit2gtk security update
History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description A memory initialization issue was addressed with improved memory handling. This issue is fixed in tvOS 26.2, Safari 26.2, watchOS 26.2, visionOS 26.2, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2. Processing maliciously crafted web content may disclose internal states of the app. A memory initialization issue was addressed with improved memory handling. This issue is fixed in Safari 26.2, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, tvOS 26.2, visionOS 26.2, watchOS 26.2. Processing maliciously crafted web content may disclose internal states of the app.

Fri, 20 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Title webkitgtk: Processing maliciously crafted web content may disclose internal states of the app
Weaknesses CWE-909
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 14 Jan 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Apple iphone Os
CPEs cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:visionos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:*
Vendors & Products Apple iphone Os

Mon, 12 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple ios
Apple ipados
Apple macos
Apple macos Tahoe
Apple safari
Apple tvos
Apple visionos
Apple watchos
Vendors & Products Apple
Apple ios
Apple ipados
Apple macos
Apple macos Tahoe
Apple safari
Apple tvos
Apple visionos
Apple watchos

Fri, 09 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 09 Jan 2026 21:30:00 +0000

Type Values Removed Values Added
Description A memory initialization issue was addressed with improved memory handling. This issue is fixed in tvOS 26.2, Safari 26.2, watchOS 26.2, visionOS 26.2, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2. Processing maliciously crafted web content may disclose internal states of the app.
References

Subscriptions

Apple Ios Ipados Iphone Os Macos Macos Tahoe Safari Tvos Visionos Watchos
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:12:05.946Z

Reserved: 2025-04-22T21:13:49.960Z

Link: CVE-2025-46299

cve-icon Vulnrichment

Updated: 2026-01-09T21:41:47.841Z

cve-icon NVD

Status : Modified

Published: 2026-01-09T22:15:59.797

Modified: 2026-04-02T19:21:05.157

Link: CVE-2025-46299

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-18T00:00:00Z

Links: CVE-2025-46299 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T20:15:20Z

Weaknesses