CVE-2025-24264
Published: 31 March 2025
Summary
CVE-2025-24264 is a critical-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Apple Ipados. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 49.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely remediation of flaws through vendor patches, directly addressing the memory handling vulnerability fixed in Safari 18.4 and related Apple OS updates.
Implements memory protection mechanisms to prevent unauthorized code execution or corruption from maliciously crafted web content that triggers crashes.
Protects against denial-of-service attacks, including uncontrolled resource consumption (CWE-400) leading to Safari crashes from remote malicious web content.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is triggered by processing maliciously crafted web content leading to a browser crash, directly enabling Drive-by Compromise (T1189) via web delivery and Application or System Exploitation (T1499.004) for denial of service.
NVD Description
The issue was addressed with improved memory handling. This issue is fixed in Safari 18.4, iOS 18.4 and iPadOS 18.4, iPadOS 17.7.6, macOS Sequoia 15.4, tvOS 18.4, visionOS 2.4, watchOS 11.4. Processing maliciously crafted web content may lead to an…
more
unexpected Safari crash.
Deeper analysisAI
CVE-2025-24264 is a memory handling vulnerability affecting Apple's Safari browser and related operating systems, including versions of iOS prior to 18.4, iPadOS prior to 18.4 and 17.7.6, macOS Sequoia prior to 15.4, tvOS prior to 18.4, visionOS prior to 2.4, and watchOS prior to 11.4. The flaw, classified under CWE-400 (Uncontrolled Resource Consumption), was addressed through improved memory handling. Processing maliciously crafted web content may lead to an unexpected Safari crash, earning a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with high impacts across confidentiality, integrity, and availability.
A remote attacker with no privileges or user interaction required can exploit this vulnerability over the network with low complexity. By delivering maliciously crafted web content, the attacker can trigger the memory handling issue in Safari, resulting in a crash that disrupts availability. The high CVSS scores for confidentiality and integrity suggest potential for additional impacts such as data exposure or modification, though the primary manifestation is the described crash.
Apple security advisories detail mitigations through patches released in Safari 18.4, iOS 18.4, iPadOS 18.4 and 17.7.6, macOS Sequoia 15.4, tvOS 18.4, visionOS 2.4, and watchOS 11.4. Security practitioners should prioritize updating affected devices to these versions, as outlined in Apple's support documentation at https://support.apple.com/en-us/122371, https://support.apple.com/en-us/122372, https://support.apple.com/en-us/122373, https://support.apple.com/en-us/122376, and https://support.apple.com/en-us/122377.
Details
- CWE(s)