CVE-2025-31278: 
Apple Safari vulnerability analysis and mitigation

A memory corruption vulnerability (CVE-2025-31278) was discovered in WebKit, affecting multiple Apple operating systems. The vulnerability was disclosed on July 29, 2025, and affects Safari 18.6, iPadOS 17.7.9, watchOS 11.6, visionOS 2.6, iOS 18.6 and iPadOS 18.6, macOS Sequoia 15.6, and tvOS 18.6. The issue was identified by researchers Yuhao Hu, Yan Kang, Chenggang Wu, and Xiaojie Wei (Apple Security, Safari Release).

The vulnerability exists in WebKit's memory handling mechanism where processing maliciously crafted web content may lead to memory corruption. The issue was tracked as WebKit Bugzilla: 291742. The vulnerability received a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, no privileges required, and user interaction required (NVD).

The vulnerability could allow an attacker to execute arbitrary code when processing maliciously crafted web content, potentially leading to memory corruption. This could result in unauthorized access to sensitive information, system crashes, or complete system compromise (Apple Security, Ubuntu Security).

Apple has addressed the vulnerability by improving memory handling mechanisms in the affected operating systems. Security updates have been released for all affected products: Safari 18.6, iPadOS 17.7.9, watchOS 11.6, visionOS 2.6, iOS 18.6 and iPadOS 18.6, macOS Sequoia 15.6, and tvOS 18.6. Users are strongly advised to update their devices to the latest versions (Apple Security).