Brand ClaimErleben, was verbindet

Information on the use of cookies

This website uses only the technically necessary cookies to provide you with the best possible service.
Your session is identified by a so-called session cookie in order to maintain your language choice and to allow a comfortable form use. Furthermore, a login is only possible by using a cookie.
Further information can be found in the data protection information.

Accept

Advisory 2025-0486 - Webkit/Apple: Vulnerability allows security mechanisms to be bypassed

Achtung: You can now also find information from the Vulnerability Advisory Service in the CTI portal!
The CTI portal is available at the following address: https://cti-portal.telekom.net/advisories/2025-0486
Notice: This advisory is by exception shown completely public. You will regularly receive details on vulnerability information as a customer via your login or through our daily advisory e-mail.
4
Attack probability
medium-high
4
Potential damage
medium-high
remote anonymous attackerUser interaction requiredExploit available
Date
2025-03-12
Release
2025-04-01 UPDATE

Operating System

  • iPhoneOS
  • MacOS X
  • Sonstiges
  • UNIX

Software

  • Apple iOS < 18.3.2
  • Apple iPadOS < 18.3.2
  • Apple macOS Sequoia < 15.3.2
  • Apple Safari < 18.3.1
  • Open Source WebKit
  • UPDATE 2025-03-17
  • Red Hat Enterprise Linux
  • UPDATE 2025-03-18
  • Oracle Linux
  • UPDATE 2025-03-20
  • Fedora Linux
  • UPDATE 2025-03-21
  • Open Source WebKit < 2.46.7
  • Open Source WebKit < 2.48.0
  • UPDATE 2025-03-24
  • Debian Linux
  • SUSE Linux
  • UPDATE 2025-04-01
  • Apple iOS < 15.8.4
  • Apple iOS < 16.7.11
  • Apple iPad < 15.8.4
  • Apple iPadOS < 16.7.11
  • Ubuntu Linux

Attack

A remote, anonymous attacker can exploit a vulnerability in Webkit and in Apple iOS, Apple iPadOS, Apple macOS and Apple Safari to bypass security mechanisms.

Description

WebKit is the web browser engine used by Safari and many other apps on macOS, iOS, and Linux. Apple iOS (formerly iPhone OS) is the operating system of the smartphone iPhone, iPad and iPod Touch, which is developed by Apple Inc. Apple iPadOS is the operating system of the iPad, which is developed by Apple Inc. Apple macOS is an operating system based on FreeBSD and Mach. Safari is a Web Browser used on Apple devices.

CVE-2025-24201

A vulnerability exists in WebKit and in Apple iOS, Apple iPadOS, Apple macOS, as well as Apple Safari. Data can be written outside the intended memory area (out of bounds write). This allows the protected environment (sandbox) of WebKit to be bypassed and other components to be accessed. A remote, anonymous attacker can exploit this to circumvent security mechanisms. Successful exploitation requires user interaction.

CVSSv2 Base Score: 9.3 / Temporal Score: 8.1
AV:N/AC:M/AU:N/C:C/I:C/A:C/E:H/RL:OF/RC:ND
CVSSv3.1 Base Score: 9.6 / Temporal Score: 9.2
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:H/RL:O/RC:X

The vulnerability is already being actively exploited according to Apple.

Recommendation

Apple provides updates. Please update your installation and see the vendor's advisory to find the proper version suitable for your environment.
https://support.apple.com/en-us/122281

Apple provides updates. Please update your installation and see the vendors advisory to find the proper version suitable for your environment.
https://support.apple.com/en-us/122283
https://support.apple.com/en-us/122285

UPDATE 2025-03-17

Red Hat provides updates. Please update your installation and see the vendor's advisory to find the proper version suitable for your environment.
https://access.redhat.com/errata/RHSA-2025:2863
https://access.redhat.com/errata/RHSA-2025:2864

UPDATE 2025-03-18
https://access.redhat.com/errata/RHSA-2025:3000

Oracle Linux provides updates. Please update your installation and see the vendor's advisory to find the proper version suitable for your environment.
https://linux.oracle.com/errata/ELSA-2025-2864.html
https://linux.oracle.com/errata/ELSA-2025-2863.html

Red Hat provides updates. Please update your installation and see the vendor's advisory to find the proper version suitable for your environment.
https://access.redhat.com/errata/RHSA-2025:2998
https://access.redhat.com/errata/RHSA-2025:2997
https://access.redhat.com/errata/RHSA-2025:3001
https://access.redhat.com/errata/RHSA-2025:3002
https://access.redhat.com/errata/RHSA-2025:3005

UPDATE 2025-03-19
https://access.redhat.com/errata/RHSA-2025:3034

UPDATE 2025-03-20

Fedora provides updates. Please update your installation and see the vendor's advisory to find the proper version suitable for your environment.
https://bodhi.fedoraproject.org/updates/FEDORA-2025-b92313b6f2
https://bodhi.fedoraproject.org/updates/FEDORA-2025-0c6c204dae
https://bodhi.fedoraproject.org/updates/FEDORA-2025-80e387cc51

UPDATE 2025-03-21

WebKit provides updates. Please update your installation and see the vendor's advisory to find the proper version suitable for your environment.
https://webkitgtk.org/security/WSA-2025-0002.html

UPDATE 2025-03-24

Debian provides updates. Please update your installation and see the vendor's advisory to find the proper version suitable for your environment.
https://lists.debian.org/debian-security-announce/2025/msg00047.html

SUSE provides updates. Please update your installation and see the vendor's advisory to find the proper version suitable for your environment.
https://lists.suse.com/pipermail/sle-security-updates/2025-March/020570.html
https://lists.suse.com/pipermail/sle-security-updates/2025-March/020571.html

UPDATE 2025-03-25
https://lists.suse.com/pipermail/sle-security-updates/2025-March/020583.html

UPDATE 2025-03-27

Red Hat provides updates. Please update your installation and see the vendor's advisory to find the proper version suitable for your environment.
https://access.redhat.com/errata/RHSA-2025:3059

SUSE provides updates. Please update your installation and see the vendor's advisory to find the proper version suitable for your environment.
https://lists.suse.com/pipermail/sle-security-updates/2025-March/020603.html
https://lists.suse.com/pipermail/sle-security-updates/2025-March/020608.html

UPDATE 2025-04-01

Apple provides updates. Please update your installation and see the vendor's advisory to find the proper version suitable for your environment.
https://support.apple.com/en-us/122345

Ubuntu provides updates. Please update your installation and see the vendor's advisory to find the proper version suitable for your environment.
https://ubuntu.com/security/notices/USN-7395-1

Apple provides updates. Please update your installation and see the vendor's advisory to find the proper version suitable for your environment.
https://support.apple.com/en-us/122346

Information

About the Security Content of iOS 18.3.2 and iPadOS 18.3.2 dated 2025-03-11
https://support.apple.com/en-us/122281

About the Security Content of macOS Sequoia 15.3.2 dated 2025-03-11
https://support.apple.com/en-us/122283

About the Security Content of Safari 18.3.1 dated 2025-03-11
https://support.apple.com/en-us/122285

UPDATE 2025-03-17

Red Hat Security Advisory RHSA-2025:2863 dated 2025-03-17
https://access.redhat.com/errata/RHSA-2025:2863

Red Hat Security Advisory RHSA-2025:2864 dated 2025-03-17
https://access.redhat.com/errata/RHSA-2025:2864

UPDATE 2025-03-18

Red Hat Security Advisory RHSA-2025:3000 dated 2025-03-18
https://access.redhat.com/errata/RHSA-2025:3000

Oracle Linux Security Advisory ELSA-2025-2864 dated 2025-03-17
https://linux.oracle.com/errata/ELSA-2025-2864.html

Oracle Linux Security Advisory ELSA-2025-2863 dated 2025-03-17
https://linux.oracle.com/errata/ELSA-2025-2863.html

Red Hat Security Advisory RHSA-2025:2998 dated 2025-03-18
https://access.redhat.com/errata/RHSA-2025:2998

Red Hat Security Advisory RHSA-2025:2997 dated 2025-03-18
https://access.redhat.com/errata/RHSA-2025:2997

Red Hat Security Advisory RHSA-2025:3001 dated 2025-03-18
https://access.redhat.com/errata/RHSA-2025:3001

Red Hat Security Advisory RHSA-2025:3002 dated 2025-03-18
https://access.redhat.com/errata/RHSA-2025:3002

Red Hat Security Advisory RHSA-2025:3005 dated 2025-03-18
https://access.redhat.com/errata/RHSA-2025:3005

UPDATE 2025-03-19

Red Hat Security Advisory RHSA-2025:3034 dated 2025-03-19
https://access.redhat.com/errata/RHSA-2025:3034

UPDATE 2025-03-20

Fedora Security Advisory FEDORA-2025-B92313B6F2 dated 2025-03-19
https://bodhi.fedoraproject.org/updates/FEDORA-2025-b92313b6f2

Fedora Security Advisory FEDORA-2025-0C6C204DAE dated 2025-03-19
https://bodhi.fedoraproject.org/updates/FEDORA-2025-0c6c204dae

Fedora Security Advisory FEDORA-2025-80E387CC51 dated 2025-03-19
https://bodhi.fedoraproject.org/updates/FEDORA-2025-80e387cc51

UPDATE 2025-03-21

WebKit Security Advisory WSA-2025-0002 dated 2025-03-20
https://webkitgtk.org/security/WSA-2025-0002.html

UPDATE 2025-03-24

Debian Security Advisory DSA-5885 dated 2025-03-24
https://lists.debian.org/debian-security-announce/2025/msg00047.html

SUSE Security Update SUSE-SU-2025:0975-1 dated 2025-03-21
https://lists.suse.com/pipermail/sle-security-updates/2025-March/020570.html

SUSE Security Update SUSE-SU-2025:0974-1 dated 2025-03-21
https://lists.suse.com/pipermail/sle-security-updates/2025-March/020571.html

UPDATE 2025-03-25

SUSE Security Update SUSE-SU-2025:0993-1 dated 2025-03-24
https://lists.suse.com/pipermail/sle-security-updates/2025-March/020583.html

UPDATE 2025-03-27

Red Hat Security Advisory RHSA-2025:3059 dated 2025-03-26
https://access.redhat.com/errata/RHSA-2025:3059

SUSE Security Update SUSE-SU-2025:1023-1 dated 2025-03-26
https://lists.suse.com/pipermail/sle-security-updates/2025-March/020603.html

SUSE Security Update SUSE-SU-2025:1033-1 dated 2025-03-26
https://lists.suse.com/pipermail/sle-security-updates/2025-March/020608.html

UPDATE 2025-04-01

Apple Security Advisory 122345 dated 2025-03-31
https://support.apple.com/en-us/122345

Ubuntu Security Notice USN-7395-1 dated 2025-03-31
https://ubuntu.com/security/notices/USN-7395-1

Apple Security Advisory 122346 dated 2025-03-31
https://support.apple.com/en-us/122346

References

APPLE:122281
APPLE:122283
APPLE:122285
APPLE:122345
APPLE:122346
APPLE-SA:APPLE-SA-03-11-2025-1
APPLE-SA:APPLE-SA-03-11-2025-2
APPLE-SA:APPLE-SA-03-11-2025-3
CVE:CVE-2025-24201
DEBIAN:DSA-5885
FEDORA:FEDORA-2025-0C6C204DAE
FEDORA:FEDORA-2025-80E387CC51
FEDORA:FEDORA-2025-B92313B6F2
ORACLELINUX:ELSA-2025-2863
ORACLELINUX:ELSA-2025-2864
REDHAT:RHSA-2025:2863
REDHAT:RHSA-2025:2864
REDHAT:RHSA-2025:2997
REDHAT:RHSA-2025:2998
REDHAT:RHSA-2025:3000
REDHAT:RHSA-2025:3001
REDHAT:RHSA-2025:3002
REDHAT:RHSA-2025:3005
REDHAT:RHSA-2025:3034
REDHAT:RHSA-2025:3059
REDHAT-BUG:2351802
SUSE:SUSE-SU-2025:0974-1
SUSE:SUSE-SU-2025:0975-1
SUSE:SUSE-SU-2025:0993-1
SUSE:SUSE-SU-2025:1023-1
SUSE:SUSE-SU-2025:1033-1
UBUNTU:USN-7395-1
WEBKIT:WSA-2025-0002

Disclaimer

*The probability of an attack is determined by the attacker's motivation, the necessary expend and the possibilities for an attack. The damage probability is determined by the expend needed to resolute the attack and probable indirect consequences of an attack for business processes. Telekom Security assumes worst case scenarios.

Copyright © 1999-2025 Deutsche Telekom Security GmbH. All rights reserved. Reproduction and distribution of this publication in any form - even in parts - without prior written permission is forbidden.

The information contained herein has been obtained from sources believed to be reliable and trusted or have been verified. Telekom Security can take liability for completeness, accuracy and correctness only in so far, as gross negligence or intention create liability. Any liability beyond it, in particular possible damages resulting from using or non-usability of the information contained herein, is excluded.