CVE-2025-43392: 
Apple Safari vulnerability analysis and mitigation

CVE-2025-43392 is a security vulnerability affecting WebKit Canvas in Apple's operating systems (iOS, iPadOS, macOS, and watchOS) discovered by Tom Van Goethem. The vulnerability was disclosed and patched in November 2025 as part of Apple's security updates across multiple platforms (Apple Support).

The vulnerability exists in WebKit Canvas where a website may be able to exfiltrate image data cross-origin. The issue was addressed with improved handling of caches in WebKit (WebKit Bugzilla: 297566). The vulnerability affects multiple Apple platforms including macOS Sonoma, macOS Sequoia, iOS 26.1, iPadOS 26.1, and watchOS 26.1 (Apple Support).

The vulnerability allows malicious websites to exfiltrate image data across origins, potentially leading to unauthorized access to user's image data from different domains. This cross-origin data leak could compromise user privacy and security by allowing websites to access image content from other websites without proper authorization (Apple Support).

Apple has addressed this vulnerability by improving the handling of caches in WebKit Canvas. Users should update to the latest versions of their respective operating systems: Safari 26.1, macOS Tahoe 26.1, iOS 26.1, iPadOS 26.1, or watchOS 26.1, which contain the security fixes for this vulnerability (Apple Support).