EXECUTIVE SUMMARY:
Five vulnerabilities have been identified in Apple’s WebKit browser engine, discovered by Google’s AI-powered “Big Sleep” vulnerability detection system, and tracked as CVE-2025-43429, CVE-2025-43430, CVE-2025-43431, CVE-2025-43433, and CVE-2025-43434. These flaws impact macOS and Safari, allowing attackers to trigger memory corruption, execute arbitrary code, or crash the browser through maliciously crafted web content.
- CVE-2025-43429: With a CVSS v3.1 score of 4.3, this buffer overflow vulnerability arises when WebKit processes specially crafted web content. Exploitation can result in arbitrary code execution or browser crashes, leading to possible compromise of user sessions.
- CVE-2025-43430: Rated 4.3, this flaw causes unexpected process termination due to improper memory handling when rendering malicious web content, potentially allowing denial-of-service attacks.
- CVE-2025-43431 and CVE-2025-43433: Both are memory corruption vulnerabilities with a CVSS v3.1 score of 8.8 (high). Attackers can exploit them by luring victims to malicious websites, resulting in memory manipulation and potential remote code execution within the browser sandbox.
- CVE-2025-43434: The most severe, with a CVSS v3.1 score of 4.3, this use-after-free vulnerability can be exploited through crafted web content to execute arbitrary code or crash Safari. It poses a critical risk to unpatched Apple devices.
These vulnerabilities present a serious threat to all Apple device users, as exploitation could lead to remote code execution and full browser compromise through a single malicious webpage.
RECOMMENDATION:
- We strongly recommend you update macOS to version Tahoe 26.1 and Safari to version 26.1 or later.
REFERENCES:
The following reports contain further technical details:
https://thehackernews.com/2025/11/googles-ai-big-sleep-finds-5-new.html
