CVE-2025-24264

CVE-2025-24264 is a memory handling vulnerability affecting Apple's Safari browser and related operating systems, including versions of iOS prior to 18.4, iPadOS prior to 18.4 and 17.7.6, macOS Sequoia prior to 15.4, tvOS prior to 18.4, visionOS prior to 2.4, and watchOS prior to 11.4. The flaw, classified under CWE-400 (Uncontrolled Resource Consumption), was addressed through improved memory handling. Processing maliciously crafted web content may lead to an unexpected Safari crash, earning a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with high impacts across confidentiality, integrity, and availability.

A remote attacker with no privileges or user interaction required can exploit this vulnerability over the network with low complexity. By delivering maliciously crafted web content, the attacker can trigger the memory handling issue in Safari, resulting in a crash that disrupts availability. The high CVSS scores for confidentiality and integrity suggest potential for additional impacts such as data exposure or modification, though the primary manifestation is the described crash.

Apple security advisories detail mitigations through patches released in Safari 18.4, iOS 18.4, iPadOS 18.4 and 17.7.6, macOS Sequoia 15.4, tvOS 18.4, visionOS 2.4, and watchOS 11.4. Security practitioners should prioritize updating affected devices to these versions, as outlined in Apple's support documentation at https://support.apple.com/en-us/122371, https://support.apple.com/en-us/122372, https://support.apple.com/en-us/122373, https://support.apple.com/en-us/122376, and https://support.apple.com/en-us/122377.