CVE-2025-24209: Buffer Overflow
Published Mar 31, 2025
·Updated
A buffer overflow issue was addressed with improved memory handling. This issue is fixed in Safari 18.4, iOS 18.4 and iPadOS 18.4, iPadOS 17.7.6, macOS Sequoia 15.4, tvOS 18.4, watchOS 11.4. Processing maliciously crafted web content may lead to an unexpected process crash.
Other sources
A buffer overflow issue was addressed with improved memory handling. This issue is fixed in tvOS 18.4, Safari 18.4, iPadOS 17.7.6, iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4. Processing maliciously crafted web content may lead to an unexpected process crash.
— Debian
Accessibility. A logging issue was addressed with improved data redaction.
— Apple
AccountPolicy. This issue was addressed by removing the vulnerable code.
— Apple
Accounts. This issue was addressed with improved data access restriction.
— Apple
AirDrop. A permissions issue was addressed with additional restrictions.
— Apple
Credit
Google V8 Security Team, Francisco Alonso@@revskills, an anonymous researcher, Muhammad Zaid Ghifari (Mr.ZheeV), Kalimantan Utara, rheza@@ginggilBesel, PixiePoint Security, Andreas Hegenberg (folivora.AI GmbH), @@RenwaX23, Jaydev Ahire, Syarif Muhammad Sajjad, Alexander Heinrich@@Sn0wfreeze, SEEMOO, TU Darmstadt & Mathy Vanhoef@@vanhoefm, Jeroen Robben@@RobbenJeroen, DistriNet, KU Leuven, Vsevolod Kokorin (Slonser)(Solidlab), Gary Kwong, Paul Bakker(ParagonERP), Martin Kreichgauer(Google Chrome), Lehan Dilusha@@zafer, Uri Katz (Oligo Security), Hossein Lotfi@@hosselot(Trend Micro Zero Day Initiative), Yutong Xiu@@Sou1gh0st, Denis Tokarev@@illusionofcha0s, Kirin@@Pwnrin, CVE-2025-24085, CVE-2024-9681, LFY@@secsys(Fudan University), Anonymous(Trend Micro Zero Day Initiative), Michael (Biscuit) Thomas - @social.lol@@biscuit, Ian Beer(Google Project Zero), CVE-2025-27113, CVE-2024-56171, Jimmy, Jax Reissner, Mickey Jin@@patch1t, Bing Shi(Alibaba Group), Wenchao Li(Alibaba Group), Xiaolong Bai(Alibaba Group), Luyi Xing(Indiana University Bloomington), Andrew James Gonzalez, Richard Hyunho Im with routezero.security@@richeeta, YingQi Shi@@Mas0nShi(DBAppSecurity's WeBin lab), Minghao Lin@@Y1nKoc, Apple, Lukas Bernhard, Tashita Software Security, Xiangwei Zhang(Tencent Security YUNDING LAB), linjy(HKUS3Lab), chluo(WHUSecLab), Brendon Tiszka(Google Project Zero), Google Threat Analysis Group, wac(Trend Micro Zero Day Initiative), pattern-f@@pattern_F_, Jonathan Bar Or@@yo_yo_yo_jbo(Microsoft), CVE-2024-48958, Alex Radocea(Supernetworks), Dave G.(Supernetworks), 风沐云烟@@binary_fmyy, Halle Winkler, Politepix theoffcuts.org, Bohdan Stasiuk@@bohdan_stasiuk, Ron Masas(BREAKPOINT), Dominik Rath, Andr.Ess, Wang Yu(Cyberserval), Zhongcheng Li(IES Red Team of ByteDance), Gergely Kalman@@gergely_kalman, mzzzz__, Alexia Wilson(Microsoft), Christine Fossaceca(Microsoft), Florian Draschbacher, Dalibor Milanovic, Wojciech Regula(SecuRing), Abhay Kailasia@@abhay_kailasia(C), Chi Yuan Chang(ZUSO ART), taikosoup, Claudio Bozzato(Cisco Talos), Francesco Benvenuto(Cisco Talos), Jeffrey Hofmann, Ian Mckay@@iann0036, Csaba Fitzl@@theevilbit(Kandji), Nolan Astrein(Kandji), Stephan Casas, Rodolphe BRUNETTI@@eisw0lf(Lupus Nova), Pietro Francesco Tirenna(Shielder), Davide Silvetti(Shielder), Abdel Adim Oisfi(Shielder), luckyu@@uuulucky, Rodolphe BRUNETTI@@eisw0lf, Manuel Fernandez (Stackhopper Security), ABC Research s.r.o., Murray Mike, Dayton Pidhirney(Atredis Partners), Lyutoon, YenKoc, Ye Zhang@@VAR10CK(Baidu Security), Koh M. Nakagawa@@tsunek0h(FFRI Security Inc), Joseph Ravichandran@@0xjprx(MIT CSAIL), Kenneth Chew, Paweł Płatek (Trail(Bits), Diamant Osmani & Valdrin Haliti [Kosovë], dbpeppe, Solitechworld, Pwn2car, Alhour@@NSAntoine, Mickey Jin@@patch1t(Kandji), (Kandji), Pedro Tôrres@@t0rr3sp3dr0, Noah Gregory (wts.dev), CVE-2023-27043, Yiğit Can YILMAZ@@yilmazcanyigit, Arsenii Kostromin (0x3c3e), Rodolphe Brunetti@@eisw0lf(Lupus Nova), Dolf Hoegaerts, Michiel Devliegere, K宝@@Pwnrin, Tong Liu@@Lyutoon_, 风(binary_fmyy), F00L, Dave G., zbleet(QI), Cristian Dinca(Computer Science), Romania, 风沐云烟 (binary_fmyy), Kirin, FlowerCode, Zhongquan Li@@Guluisacat, Pedro José Pereira Vieito / pvieito.com)@@pvieito
Affected Software
15 affected componentsFixes available
Apple Safari<18.4
18.4
debian/webkit2gtk<=2.44.2-1~deb11u1, <=2.46.6-1~deb11u1, <=2.46.6-1~deb12u1
2.48.1-2~deb12u12.48.1-2
debian/wpewebkit<=2.38.6-1~deb11u1, <=2.38.6-1
2.48.1-1
Apple WatchOS<11.4
11.4
Apple iOS<18.4
18.4
Apple iPadOS<18.4
18.4
Apple tvOS<18.4
18.4
Apple macOS Sequoia<15.4
15.4
Apple Safari<18.4
Apple iPadOS<17.7.6
Apple iPadOS>=18.0<18.4
Apple iPhone OS<18.4
Apple macOS>=15.0<15.4
Apple tvOS<18.4
Apple iPadOS<17.7.6
17.7.6
Event History
Mar 31, 2025
Data Sourced
via Apple·12:00 AM
DescriptionWeaknessAffected Software
Updated
via Apple·12:00 AM
DescriptionWeakness
Updated
via Apple·12:00 AM
Affected Software
Updated
via Apple·12:00 AM
DescriptionWeaknessAffected Software
CVE Published
via MITRE·10:23 PM
Data Sourced
via MITRE·10:23 PM
DescriptionWeakness
Data Sourced
via NVD·11:15 PM
DescriptionSeverityWeaknessAffected Software
Apr 1, 2025
Updated
via Apple·12:00 AM
DescriptionWeaknessAffected Software
Apr 7, 2025
Data Sourced
via Red Hat·02:28 PM
DescriptionSeverityAffected Software
Apr 15, 2025
Data Sourced
via Ubuntu·12:43 AM
RemedyDescriptionSeverityAffected Software
Parent advisories
This vulnerability appears in the following advisories.
Peer vulnerabilities
Found alongside the following vulnerabilities.
- CVE-2025-24180
- CVE-2025-24113
- CVE-2025-30467
- CVE-2025-31192
- CVE-2025-24167
- CVE-2025-31184
- CVE-2025-24192
- CVE-2025-24264
- CVE-2025-24216
- CVE-2025-24213
- CVE-2025-24209
- CVE-2025-24208
- CVE-2025-30427
- CVE-2025-30425
- CVE-2025-24097
- CVE-2025-24251
- CVE-2025-24244
- CVE-2025-24243
- CVE-2025-30430
- CVE-2025-24237
- CVE-2025-30429
- CVE-2025-24212
- CVE-2025-24163
- CVE-2025-24230
- CVE-2025-24190
- CVE-2025-30454
- CVE-2025-31191
- CVE-2025-24182
- CVE-2025-31203
- CVE-2024-9681
- CVE-2025-30439
- CVE-2025-24283
- CVE-2025-30447
- CVE-2025-24210
- CVE-2025-24257
- CVE-2025-30432
- CVE-2024-48958
- CVE-2025-24194
- CVE-2025-27113
- CVE-2024-56171
- CVE-2025-24178
- CVE-2025-31182
- CVE-2025-24238
- CVE-2025-30470
- CVE-2025-30426
- CVE-2025-24173
- CVE-2025-30471
- CVE-2025-30438
- CVE-2025-30433
- CVE-2025-31183
- CVE-2025-24217
- CVE-2025-24214
- CVE-2025-24201
- CVE-2025-24202
- CVE-2025-24221
- CVE-2025-24271
- CVE-2025-24270
- CVE-2025-31202
- CVE-2025-24252
- CVE-2025-24206
- CVE-2025-30445
- CVE-2025-31197
- CVE-2025-24211
- CVE-2025-30456
- CVE-2025-30463
- CVE-2025-30434
- CVE-2025-24193
- CVE-2025-30428
- CVE-2025-30469
- CVE-2025-24095
- CVE-2025-24205
- CVE-2025-24198
- CVE-2025-24234
- CVE-2025-24276
- CVE-2025-24272
- CVE-2025-24239
- CVE-2025-24233
- CVE-2025-30443
- CVE-2025-24245
- CVE-2025-30460
- CVE-2025-24215
- CVE-2025-24236
- CVE-2025-24277
- CVE-2025-24255
- CVE-2025-24267
- CVE-2025-30455
- CVE-2025-31187
- CVE-2025-30462
- CVE-2025-30451
- CVE-2025-24281
- CVE-2025-30461
- CVE-2025-24199
- CVE-2025-30464
- CVE-2025-24273
- CVE-2025-24256
- CVE-2025-24249
- CVE-2025-24229
- CVE-2025-30437
- CVE-2025-24235
- CVE-2025-24204
- CVE-2025-24203
- CVE-2025-24196
- CVE-2025-24148
- CVE-2025-24195
- CVE-2025-24172
- CVE-2025-30450
- CVE-2025-24262
- CVE-2025-24232
- CVE-2025-24246
- CVE-2025-24261
- CVE-2025-24164
- CVE-2025-30446
- CVE-2025-24259
- CVE-2025-30424
- CVE-2023-27043
- CVE-2025-24191
- CVE-2025-24093
- CVE-2025-30452
- CVE-2025-24181
- CVE-2025-30458
- CVE-2025-24250
- CVE-2025-30465
- CVE-2025-24280
- CVE-2025-31194
- CVE-2025-30435
- CVE-2025-24248
- CVE-2025-24269
- CVE-2025-30444
- CVE-2025-24228
- CVE-2025-24260
- CVE-2025-24282
- CVE-2025-24254
- CVE-2025-24231
- CVE-2025-24263
- CVE-2025-24207
- CVE-2025-30449
- CVE-2025-24253
- CVE-2025-24240
- CVE-2025-31188
- CVE-2025-24218
- CVE-2025-24278
- CVE-2025-24242
- CVE-2025-30457
- CVE-2025-24279
- CVE-2025-24247
- CVE-2025-24241
- CVE-2025-24266
- CVE-2025-24265
- CVE-2025-24157
- CVE-2025-30466
- CVE-2025-24131
- CVE-2025-24177
- CVE-2025-24179
- CVE-2025-43205
- CVE-2025-24085
- CVE-2024-54543
- CVE-2024-54534
- CVE-2024-54508
- CVE-2024-54502
- CVE-2025-31196
- CVE-2025-31199
- CVE-2025-24220
- CVE-2025-30436
- CVE-2025-31272
- CVE-2025-24170
- CVE-2025-31189
- CVE-2025-30453
- CVE-2025-24258
- CVE-2025-30431
- CVE-2025-30448
- CVE-2025-31263
- CVE-2025-31231
- CVE-2025-31264
- CVE-2025-46308
- CVE-2025-24284
- CVE-2025-30459
- CVE-2025-24268
- CVE-2025-43184
- CVE-2025-24165
- CVE-2025-30442
- CVE-2025-31261
- CVE-2025-46293
- CVE-2025-43278
- CVE-2025-31195
- CVE-2025-31198
Frequently Asked Questions
1
What is the severity of CVE-2025-24209?
CVE-2025-24209 has been classified as a buffer overflow vulnerability that could lead to unexpected process crashes.
2
How do I fix CVE-2025-24209?
To fix CVE-2025-24209, update to the latest versions of affected products such as tvOS 18.4, iOS 18.4, iPadOS 18.4, Safari 18.4, and macOS Sequoia 15.4.
3
What products are affected by CVE-2025-24209?
CVE-2025-24209 affects several Apple products including Safari, iOS, iPadOS, tvOS, and macOS Sequoia.
4
What causes CVE-2025-24209?
CVE-2025-24209 is caused by a buffer overflow due to improper handling of maliciously crafted web content.
5
What are the consequences of CVE-2025-24209?
The consequences of CVE-2025-24209 include potential process crashes of applications processing web content.