CVE-2025-24264
Published: 31 March 2025
Summary
CVE-2025-24264 is a critical-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Apple Ipados. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 49.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-16 (Memory Protection).
Deeper analysis
CVE-2025-24264 is a memory-handling flaw in Safari that can be triggered by processing maliciously crafted web content, resulting in an unexpected browser crash. The issue affects Safari 18.4, iOS 18.4 and iPadOS 18.4, iPadOS 17.7.6, macOS Sequoia 15.4, tvOS 18.4, visionOS 2.4, and watchOS 11.4, and carries a CVSS 3.1 base score of 9.8 with the CWE-400 classification.
An unauthenticated remote attacker can exploit the vulnerability simply by causing a victim to load attacker-controlled web content in Safari. Successful exploitation can impact confidentiality, integrity, and availability of the affected device.
Apple security advisories for the listed platform releases state that the issue was resolved through improved memory handling and recommend installing the updates that contain the fix.
The associated EPSS score rose from a low baseline to a peak of 0.0166 on 2026-04-24 before receding, indicating that exploitation interest increased after public disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-8949
Vulnerability details
The issue was addressed with improved memory handling. This issue is fixed in Safari 18.4, iOS 18.4 and iPadOS 18.4, iPadOS 17.7.6, macOS Sequoia 15.4, tvOS 18.4, visionOS 2.4, watchOS 11.4. Processing maliciously crafted web content may lead to an…
more
unexpected Safari crash.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is triggered by processing maliciously crafted web content leading to a browser crash, directly enabling Drive-by Compromise (T1189) via web delivery and Application or System Exploitation (T1499.004) for denial of service.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely remediation of flaws through vendor patches, directly addressing the memory handling vulnerability fixed in Safari 18.4 and related Apple OS updates.
Implements memory protection mechanisms to prevent unauthorized code execution or corruption from maliciously crafted web content that triggers crashes.
Protects against denial-of-service attacks, including uncontrolled resource consumption (CWE-400) leading to Safari crashes from remote malicious web content.