Changeflow GovPing Data Privacy & Cybersecurity Apple Buffer Overflow Vulnerability Fixed in Sa...
Priority review Notice Amended Final

Apple Buffer Overflow Vulnerability Fixed in Safari, iOS, macOS

Favicon for www.cisa.gov CISA ICS-CERT Advisories
Published November 3rd, 2025
Detected March 20th, 2026
Email

Summary

CISA has added a buffer overflow vulnerability (CVE-2025-31277) affecting Apple products to its Known Exploited Vulnerabilities (KEV) catalog. The vulnerability, which allows for memory corruption via maliciously crafted web content, has been addressed by Apple in recent software updates.

View original document View source feed page

What changed

CISA has added CVE-2025-31277, a buffer overflow vulnerability in Apple's Safari, iOS, iPadOS, macOS, tvOS, and watchOS, to its Known Exploited Vulnerabilities (KEV) catalog. The vulnerability, identified as CWE-119, allows for memory corruption through maliciously crafted web content and has a CVSS score of 8.8 (HIGH). Apple has released updates (Safari 18.6, iOS/iPadOS 18.6, macOS Sequoia 15.6, etc.) to address this issue.

Given its inclusion in the KEV catalog, federal agencies are required to apply available security patches to mitigate the risk of exploitation. All users, particularly those in federal agencies, should ensure their Apple devices are updated to the latest versions to protect against potential attacks. The KEV catalog indicates active exploitation, underscoring the urgency of applying these updates.

What to do next

  1. Update Apple devices to the latest software versions (Safari 18.6, iOS/iPadOS 18.6, macOS Sequoia 15.6, tvOS 18.6, watchOS 11.6, visionOS 2.6).
  2. Federal agencies must apply available security patches as per CISA directives.

Source document (simplified)

Required CVE Record Information

CNA: Apple Inc.

Description

The issue was addressed with improved memory handling. This issue is fixed in Safari 18.6, watchOS 11.6, visionOS 2.6, iOS 18.6 and iPadOS 18.6, macOS Sequoia 15.6, tvOS 18.6. Processing maliciously crafted web content may lead to memory corruption.

Product Status

Learn more Versions 1 Total

Default Status: unknown

affected

  • affected before 18.6 Versions 1 Total

Default Status: unknown

affected

  • affected before 15.6 Versions 1 Total

Default Status: unknown

affected

  • affected before 18.6 Versions 1 Total

Default Status: unknown

affected

  • affected before 2.6 Versions 1 Total

Default Status: unknown

affected

  • affected before 11.6 Versions 1 Total

Default Status: unknown

affected

  • affected before 18.6

References 6 Total

CVE Program

Updated:

2025-11-03

This container includes required additional information provided by the CVE Program for this vulnerability.

References 4 Total

Authorized Data Publishers

Learn more

CISA-ADP

Updated:

2026-03-20

SSVC and KEV, plus CVSS and CWE if not provided by the CNA.

SSVC 2 Total

Learn more
| Exploitation | Automatable | Technical Impact | Version | Date Accessed |
| --- | --- | --- | --- | --- |
| none | no | total | 2.0.3 | 2025-07-31 |
| active | no | total | 2.0.3 | 2026-03-20 |

KEV 1 Total

Learn more
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-31277 (2026-03-20)

CWE 1 Total

Learn more
- CWE-119: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

CVSS 1 Total

Learn more
| Score | Severity | Version | Vector String |
| --- | --- | --- | --- |
| 8.8 | HIGH | 3.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |

Related changes

Favicon for www.cisa.gov CISA: Apple Products Memory Corruption Vulnerability Addressed
Priority review Mar 20, 2026 CISA ICS-CERT Advisories Data Privacy & Cybersecurity
Favicon for www.cisa.gov Apple Products Memory Corruption Vulnerability
Priority review Mar 20, 2026 CISA ICS-CERT Advisories Data Privacy & Cybersecurity
Favicon for www.cisa.gov Livewire v3.6.3 Remote Command Execution Vulnerability Patched
Urgent Mar 20, 2026 CISA ICS-CERT Advisories Data Privacy & Cybersecurity
Favicon for www.nist.gov NIST 5G Cybersecurity and Privacy Capabilities White Paper Series Introduction
Routine Mar 21, 2026 NIST Publications Data Privacy & Cybersecurity
Favicon for www.nist.gov NIST White Paper on 5G SUCI Encryption for Subscriber Identifier Protection
Routine Mar 21, 2026 NIST Publications Data Privacy & Cybersecurity
Favicon for www.nist.gov NIST SP 800-81r3 Secure DNS Deployment Guide
Routine Mar 21, 2026 NIST Publications Data Privacy & Cybersecurity

Source

Favicon for www.cisa.gov
CISA ICS-CERT Advisories cisa.gov/rss.xml
Data Privacy & Cybersecurity
Analysis generated by AI. Source diff and links are from the original.

Classification

Agency
CISA
Published
November 3rd, 2025
Instrument
Notice
Legal weight
Non-binding
Stage
Final
Change scope
Substantive
Document ID
CVE-2025-31277

Who this affects

Applies to
Consumers Technology companies
Industry sector
5112 Software & Technology 3345 Medical Device Manufacturing
Activity scope
Vulnerability Management Software Updates
Geographic scope
United States US

Taxonomy

Primary area
Cybersecurity
Operational domain
IT Security
Compliance frameworks
NIST CSF
Topics
Vulnerability Management Software Updates

Browse Categories

Agriculture & Food Safety 61 Banking & Finance 221 Consumer Protection 39 Courts & Legal 284 Data Privacy & Cybersecurity 61 Defense & National Security 48 Education 20 Energy 102 Environment 85 Government & Legislation 257 Healthcare 116 Housing 15 Immigration 9 Insurance 58 Labor & Employment 111 Pharma & Drug Safety 78 Securities & Markets 75 Tax 62 Telecom & Technology 34 Trade & Sanctions 124 Transportation 56

Get Data Privacy & Cybersecurity alerts

Weekly digest. AI-summarized, no noise.

Free. Unsubscribe anytime.

Get alerts for this source

We'll email you when CISA ICS-CERT Advisories publishes new changes.

Free. Unsubscribe anytime.