An out-of-bounds write issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in Safari 18.3.1, iOS 15.8.4 and iPadOS 15.8.4, iOS 16.7.11 and iPadOS 16.7.11, iOS 18.3.2 and iPadOS 18.3.2, iPadOS 17.7.6, macOS Sequoia 15.3.2, visionOS 2.3.2, watchOS 11.4. Maliciously crafted web content may be able to break out of Web Content sandbox. This is a supplementary fix for an attack that was blocked in iOS 17.2. (Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 17.2.).
The flaw involves an out-of-bounds write in allocated memory buffer in the WebKit engine during processing of maliciously crafted web content. Insufficient control mechanisms allow an attacker to perform unauthorized memory operations, resulting in escape from the isolated Web Content process (sandbox escape). Apple indicates this is a supplementary security fix for an attack that was previously blocked in iOS 17.2 — this means the original attack vector was known earlier, but could be bypassed on older system versions.
An attacker can break out of the browser process isolation (sandbox escape), which could consequently lead to unauthorized access to the operating system, compromise of confidentiality, integrity, and availability of data on the victim's device.
Update immediately to the following versions: Safari 18.3.1, iOS 18.3.2 / iPadOS 18.3.2, iOS 16.7.11 / iPadOS 16.7.11, iOS 15.8.4 / iPadOS 15.8.4, iPadOS 17.7.6, macOS Sequoia 15.3.2, visionOS 2.3.2, watchOS 11.4. Updates are available through standard Apple update mechanisms.
Apple Safari (before 18.3.1), iOS and iPadOS (before 18.3.2, 16.7.11, 15.8.4), iPadOS 17.7.6, macOS Sequoia (before 15.3.2), visionOS (before 2.3.2), watchOS (before 11.4). Active exploitation confirmed on iOS versions earlier than iOS 17.2.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HApple iPadOS
OSApple18.0 – 18.3.2 (bez)15.8 – 15.8.4 (bez)16.7 – 16.7.11 (bez)17.0 – 17.7.6 (bez)Apple iOS
OSApple15.8 – 15.8.4 (bez)17.0 – 18.3.2 (bez)16.7 – 16.7.11 (bez)Apple macOS
OSApple15.0 – 15.3.2 (bez)Apple Safari
APPApple< 18.3.1Apple Visionos
OSApple< 2.3.2Apple watchOS
OSApple< 11.4Debian
OSDebian11.0
CISA KEV — detailsi
- Vendori
- Apple ↗
- Producti
- Multiple Products
- Added to KEVi
- March 13, 2025
- Remediation deadline (US Federal)i
- April 3, 2025(overdue)
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Apple iOS, iPadOS, macOS, and other Apple products contain an out-of-bounds write vulnerability in WebKit that may allow maliciously crafted web content to break out of Web Content sandbox. This vulnerability could impact HTML parsers that use WebKit, including but not limited to Apple Safari and non-Apple products which rely on WebKit for HTML processing.
Related vulnerabilities
GNU Inetutils telnetd: ominięcie uwierzytelnienia przez zmienną USER
Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty
Apple iOS/iPadOS/macOS — out-of-bounds write przy przetwarzaniu obrazu
Sudo: eskalacja uprawnień do root poprzez opcję --chroot (CVE-2025-32463)
RCE przez deserializację PHP w Roundcube Webmail (parametr _from)