GHSA-7mgf-w3jg-xvr7 · Severity: high — The issue was addressed with improved memory handling. This issue is fixed in Safari 26.1,...
The issue was addressed with improved memory handling. This issue is fixed in Safari 26.1, iOS 18.7.2 and iPadOS 18.7.2, iOS 26.1 and iPadOS 26.1, macOS Tahoe 26.1, tvOS 26.1, visionOS 26.1, watchOS 26.1. Processing maliciously crafted web content may lead to memory corruption.
Conclusion & alert: CVE-2025-43433 is rated Moderate Risk (56.6/100): CVSS High severity, with medium exploitation likelihood (EPSS 1.07%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-30 | 0.87% | 1.07% | +0.20% |
| 2 | 2026-06-15 | 0.07% | 0.87% | +0.80% |
| 3 | 2026-04-14 | — | 0.07% | — |
Full EPSS history (6 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 8.8 | 3.1 | HIGH |
|
2.8 | 5.9 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 |
| 8.8 | 3.1 | HIGH |
|
2.8 | 5.9 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c |
GHSA-7mgf-w3jg-xvr7 · Severity: high — The issue was addressed with improved memory handling. This issue is fixed in Safari 26.1,...
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
end-of-life | CVE-2025-43433 end-of-life priority: Debian including 2 source packages (webkit2gtk, wpewebkit), 10 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 7, open 3. | https://security-tracker.debian.org/tracker/CVE-2025-43433 |
redhat
|
high | — | https://access.redhat.com/security/cve/CVE-2025-43433 |
suse
|
high | CVE-2025-43433 severity important: SUSE including 88 source package names (WebKitGTK-4.0-lang-2.52.0-150400.4.137.3, WebKitGTK-4.0-lang-2.52.1-150600.12.63.1, …), 359 product×package rows across 24 product lines (SUSE Liberty Linux 8, SUSE Liberty Linux 9, … (24 product lines)): Fixed 341, First Fixed 18. | https://www.suse.com/security/cve/CVE-2025-43433/ |
ubuntu
|
medium | CVE-2025-43433 medium priority: Ubuntu including 5 source packages (qtwebkit-opensource-src, qtwebkit-source, webkit2gtk, webkitgtk, wpewebkit), 31 status rows across 7 suites (bionic, focal, jammy, noble, questing, upstream, xenial): ignored 14, DNE 9, needs-triage 4, released 4. | https://ubuntu.com/security/CVE-2025-43433 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| apple | safari | < 26.1 | cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:* |
| apple | ipados | < 26.1 | cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:* |
| apple | iphone_os | < 26.1 | cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:* |
| apple | tvos | < 26.1 | cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:* |
| apple | visionos | < 26.1 | cpe:2.3:o:apple:visionos:*:*:*:*:*:*:*:* |
| apple | watchos | < 26.1 | cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:* |