Cyber Resilience

CVE-2025-24264

CriticalDDoS

Published: 31 March 2025

Published
31 March 2025
Modified
02 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0026 49.8th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-24264 is a critical-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Apple Ipados. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 49.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-16 (Memory Protection).

Deeper analysis

CVE-2025-24264 is a memory-handling flaw in Safari that can be triggered by processing maliciously crafted web content, resulting in an unexpected browser crash. The issue affects Safari 18.4, iOS 18.4 and iPadOS 18.4, iPadOS 17.7.6, macOS Sequoia 15.4, tvOS 18.4, visionOS 2.4, and watchOS 11.4, and carries a CVSS 3.1 base score of 9.8 with the CWE-400 classification.

An unauthenticated remote attacker can exploit the vulnerability simply by causing a victim to load attacker-controlled web content in Safari. Successful exploitation can impact confidentiality, integrity, and availability of the affected device.

Apple security advisories for the listed platform releases state that the issue was resolved through improved memory handling and recommend installing the updates that contain the fix.

The associated EPSS score rose from a low baseline to a peak of 0.0166 on 2026-04-24 before receding, indicating that exploitation interest increased after public disclosure.

EU & UK References

Vulnerability details

The issue was addressed with improved memory handling. This issue is fixed in Safari 18.4, iOS 18.4 and iPadOS 18.4, iPadOS 17.7.6, macOS Sequoia 15.4, tvOS 18.4, visionOS 2.4, watchOS 11.4. Processing maliciously crafted web content may lead to an…

more

unexpected Safari crash.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

The vulnerability is triggered by processing maliciously crafted web content leading to a browser crash, directly enabling Drive-by Compromise (T1189) via web delivery and Application or System Exploitation (T1499.004) for denial of service.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-20652Same product: Apple Ipados
CVE-2026-20650Same product: Apple Ipados
CVE-2025-24126Same product: Apple Ipados
CVE-2025-24190Same product: Apple Ipados
CVE-2025-24211Same product: Apple Ipados
CVE-2026-28904Same product: Apple Ipados
CVE-2024-44227Same product: Apple Ipados
CVE-2024-54551Same product: Apple Ipados
CVE-2025-30471Same product: Apple Ipados
CVE-2026-28874Same product: Apple Ipados

Affected Assets

apple
safari
≤ 18.4
apple
ipados
≤ 17.7.6 · 18.0 — 18.4
apple
iphone os
≤ 18.4
apple
macos
15.0 — 15.4
apple
tvos
≤ 18.4
apple
visionos
≤ 2.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely remediation of flaws through vendor patches, directly addressing the memory handling vulnerability fixed in Safari 18.4 and related Apple OS updates.

prevent

Implements memory protection mechanisms to prevent unauthorized code execution or corruption from maliciously crafted web content that triggers crashes.

prevent

Protects against denial-of-service attacks, including uncontrolled resource consumption (CWE-400) leading to Safari crashes from remote malicious web content.

References