CVE-2025-31238: 
Apple Safari vulnerability analysis and mitigation

CVE-2025-31238 is a WebKit vulnerability discovered by wac working with Trend Micro Zero Day Initiative, disclosed on May 12, 2025. The vulnerability affects multiple Apple operating systems including watchOS 11.5, tvOS 18.5, iOS 18.5 and iPadOS 18.5, macOS Sequoia 15.5, visionOS 2.5, and Safari 18.5 (Apple Support, NVD).

The vulnerability is classified as a memory corruption issue in WebKit, Apple's browser engine. It has been assigned a CVSS 3.1 Base Score of 7.3 (HIGH) by CISA-ADP with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L. The vulnerability is associated with CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) (Wiz).

When exploited, the vulnerability allows processing of maliciously crafted web content that can lead to memory corruption. This could potentially result in unauthorized access to sensitive data, system crashes, or possible code execution in the context of the WebKit process (Wiz).

Apple has addressed this vulnerability by implementing improved checks in the affected operating systems. Users are advised to update to the latest versions: watchOS 11.5, tvOS 18.5, iOS 18.5 and iPadOS 18.5, macOS Sequoia 15.5, visionOS 2.5, or Safari 18.5 (Apple Support).