CVE-2025-31277

HighCISA KEVActive Exploitation

Published: 30 July 2025

Published

30 July 2025

Modified

03 April 2026

KEV Added

20 March 2026

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0017 37.9th percentile

Risk Priority 38 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-31277 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Apple Safari. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 37.9th percentile by exploit likelihood (below the median); CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Drive-by Compromise (T1189) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-16 Memory Protection good match

prevent

Implements memory protection mechanisms like address space randomization and data execution prevention to directly mitigate memory corruption exploits in WebKit.

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and remediation of flaws such as the inadequate memory handling fixed in Safari 18.6 and related Apple OS updates.

SI-3 Malicious Code Protection partial match

preventdetect

Deploys malicious code protection to scan and block web content that could trigger the WebKit memory corruption vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.

attack.mitre.org →

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

Memory corruption in WebKit enables RCE via malicious website visit (drive-by) and client-side exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

The issue was addressed with improved memory handling. This issue is fixed in Safari 18.6, iOS 18.6 and iPadOS 18.6, macOS Sequoia 15.6, tvOS 18.6, visionOS 2.6, watchOS 11.6. Processing maliciously crafted web content may lead to memory corruption.

Deeper analysisAI

CVE-2025-31277 is a memory corruption vulnerability (CWE-119) in Apple's WebKit rendering engine, stemming from inadequate memory handling. It affects Safari prior to version 18.6, as well as iOS and iPadOS prior to 18.6, macOS Sequoia prior to 15.6, tvOS prior to 18.6, visionOS prior to 2.6, and watchOS prior to 11.6. The issue, published on July 30, 2025, carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to its potential for full system compromise.

Attackers can exploit this vulnerability remotely over the network with low complexity and no required privileges, but it necessitates user interaction, such as visiting a malicious website. Successful exploitation of the memory corruption could grant attackers high-impact control over confidentiality, integrity, and availability, potentially enabling arbitrary code execution, data theft, or persistent access on the targeted device.

Apple's security advisories confirm the vulnerability was addressed through improved memory handling in the listed patched versions. Security practitioners should prioritize updating affected Apple devices and advise users to avoid untrusted web content until patches are applied, as detailed in support documents at https://support.apple.com/en-us/124147, https://support.apple.com/en-us/124149, https://support.apple.com/en-us/124152, https://support.apple.com/en-us/124153, and https://support.apple.com/en-us/124154.

Details

CWE(s): CWE-119
KEV Date Added: 20 March 2026

Affected Products

apple

safari

≤ 18.6

apple

ipados

≤ 18.6

apple

iphone os

≤ 18.6

apple

macos

15.0 — 15.6

apple

tvos

≤ 18.6

apple

visionos

≤ 2.6

apple

watchos

≤ 11.6

CVEs Like This One

CVE-2025-31273Same product: Apple Ipados

CVE-2025-31278Same product: Apple Ipados

CVE-2026-20700Same product: Apple Ipadosboth on KEV

CVE-2025-43529Same product: Apple Ipadosboth on KEV

CVE-2025-43186Same product: Apple Ipados

CVE-2024-54551Same product: Apple Ipados

CVE-2024-54543Same product: Apple Ipados

CVE-2025-24201Same product: Apple Ipadosboth on KEV

CVE-2025-43209Same product: Apple Ipados

CVE-2025-24085Same product: Apple Ipadosboth on KEV

References

https://support.apple.com/en-us/124147
Release Notes, Vendor Advisory · product-security@apple.com
https://support.apple.com/en-us/124149
Release Notes, Vendor Advisory · product-security@apple.com
https://support.apple.com/en-us/124152
Release Notes, Vendor Advisory · product-security@apple.com
https://support.apple.com/en-us/124153
Release Notes, Vendor Advisory · product-security@apple.com
https://support.apple.com/en-us/124154
Release Notes, Vendor Advisory · product-security@apple.com
https://support.apple.com/en-us/124155
Release Notes, Vendor Advisory · product-security@apple.com
http://seclists.org/fulldisclosure/2025/Aug/0
Mailing List, Third Party Advisory · af854a3a-2127-422b-91ae-364da2661108
http://seclists.org/fulldisclosure/2025/Jul/30
Mailing List, Third Party Advisory · af854a3a-2127-422b-91ae-364da2661108
http://seclists.org/fulldisclosure/2025/Jul/32
Mailing List, Third Party Advisory · af854a3a-2127-422b-91ae-364da2661108
http://seclists.org/fulldisclosure/2025/Jul/36
Mailing List, Third Party Advisory · af854a3a-2127-422b-91ae-364da2661108
https://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain/
Technical Description · 134c704f-9b21-4f2e-91b3-4a467353bcc0
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-31277
US Government Resource · 134c704f-9b21-4f2e-91b3-4a467353bcc0