Cyber Resilience

CVE-2025-31277

HighCISA KEVActive ExploitationEUVD Exploited

Published: 30 July 2025

Published
30 July 2025
Modified
03 April 2026
KEV Added
20 March 2026
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0025 48.9th percentile
Risk Priority 38 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-31277 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Apple Safari. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 48.9th percentile by exploit likelihood (below the median); CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

The vulnerability CVE-2025-31277 is a memory corruption flaw resulting from insufficient memory handling during the processing of web content. It affects Safari 18.6 along with iOS 18.6, iPadOS 18.6, macOS Sequoia 15.6, tvOS 18.6, visionOS 2.6, and watchOS 11.6, and is tracked under CWE-119 with a CVSS 3.1 score of 8.8.

An unauthenticated remote attacker can exploit the issue by delivering maliciously crafted web content that a user visits in the affected Apple software, leading to memory corruption that may enable arbitrary code execution or denial of service with high impact on confidentiality, integrity, and availability.

Apple security advisories state that the issue has been resolved by improved memory handling in the listed software versions and direct users to the corresponding updates on support.apple.com.

The current EPSS score stands at 0.0025 with no reported real-world exploitation.

EU & UK References

Vulnerability details

The issue was addressed with improved memory handling. This issue is fixed in Safari 18.6, iOS 18.6 and iPadOS 18.6, macOS Sequoia 15.6, tvOS 18.6, visionOS 2.6, watchOS 11.6. Processing maliciously crafted web content may lead to memory corruption.

CWE(s)
KEV Date Added
20 March 2026

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Memory corruption in WebKit enables RCE via malicious website visit (drive-by) and client-side exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-31278Same product: Apple Ipados
CVE-2025-31273Same product: Apple Ipados
CVE-2026-20700Same product: Apple Ipadosboth on KEV
CVE-2026-28955Same product: Apple Ipados
CVE-2025-43529Same product: Apple Ipadosboth on KEV
CVE-2026-43658Same product: Apple Ipados
CVE-2025-43186Same product: Apple Ipados
CVE-2026-28990Same product: Apple Ipados
CVE-2026-28904Same product: Apple Ipados
CVE-2024-54551Same product: Apple Ipados

Affected Assets

apple
safari
≤ 18.6
apple
ipados
≤ 18.6
apple
iphone os
≤ 18.6
apple
macos
15.0 — 15.6
apple
tvos
≤ 18.6
apple
visionos
≤ 2.6
apple
watchos
≤ 11.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Implements memory protection mechanisms like address space randomization and data execution prevention to directly mitigate memory corruption exploits in WebKit.

prevent

Requires timely identification, reporting, and remediation of flaws such as the inadequate memory handling fixed in Safari 18.6 and related Apple OS updates.

preventdetect

Deploys malicious code protection to scan and block web content that could trigger the WebKit memory corruption vulnerability.

References