-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-12-12-2025-9 Safari 26.2
Safari 26.2 addresses the following issues. Information about the security content is also available at https://support.apple.com/125892. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. Safari Available for: macOS Sonoma and macOS Sequoia Impact: On a Mac with Lockdown Mode enabled, web content opened via a file URL may be able to use Web APIs that should be restricted Description: This issue was addressed with improved URL validation. CVE-2025-43526: Andreas Jaegersberger & Ro Achterberg of Nosebeard Labs Safari Downloads Available for: macOS Sonoma and macOS Sequoia Impact: A download's origin may be incorrectly associated Description: This is a vulnerability in open source code and Apple Software is among the affected projects. The CVE-ID was assigned by a third party. Learn more about the issue and CVE-ID at cve.org. CVE-2024-8906: @retsew0x01 WebKit Available for: macOS Sonoma and macOS Sequoia Impact: An app may be able to access sensitive user data Description: The issue was addressed with additional permissions checks. WebKit Bugzilla: 295941 CVE-2025-46282: Wojciech Regula of SecuRing (wojciechregula.blog) WebKit Available for: macOS Sonoma and macOS Sequoia Impact: Processing maliciously crafted web content may lead to an unexpected Safari crash Description: A type confusion issue was addressed with improved state handling. WebKit Bugzilla: 301257 CVE-2025-43541: Hossein Lotfi (@hosselot) of Trend Micro Zero Day Initiative WebKit Available for: macOS Sonoma and macOS Sequoia Impact: Processing maliciously crafted web content may lead to an unexpected process crash Description: A use-after-free issue was addressed with improved memory management. WebKit Bugzilla: 301726 CVE-2025-43536: Nan Wang (@eternalsakura13) WebKit Available for: macOS Sonoma and macOS Sequoia Impact: Processing maliciously crafted web content may lead to an unexpected process crash Description: The issue was addressed with improved memory handling. WebKit Bugzilla: 300774 WebKit Bugzilla: 301338 CVE-2025-43535: Google Big Sleep, Nan Wang (@eternalsakura13) WebKit Available for: macOS Sonoma and macOS Sequoia Impact: Processing maliciously crafted web content may lead to an unexpected process crash Description: A buffer overflow issue was addressed with improved memory handling. WebKit Bugzilla: 301371 CVE-2025-43501: Hossein Lotfi (@hosselot) of Trend Micro Zero Day Initiative WebKit Available for: macOS Sonoma and macOS Sequoia Impact: Processing maliciously crafted web content may lead to an unexpected process crash Description: A race condition was addressed with improved state handling. WebKit Bugzilla: 301940 CVE-2025-43531: Phil Pizlo of Epic Games WebKit Available for: macOS Sonoma and macOS Sequoia Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26. CVE-2025-14174 was also issued in response to this report. Description: A use-after-free issue was addressed with improved memory management. WebKit Bugzilla: 302502 CVE-2025-43529: Google Threat Analysis Group WebKit Available for: macOS Sonoma and macOS Sequoia Impact: Processing maliciously crafted web content may lead to memory corruption. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26. CVE-2025-43529 was also issued in response to this report. Description: A memory corruption issue was addressed with improved validation. WebKit Bugzilla: 303614 CVE-2025-14174: Apple and Google Threat Analysis Group WebKit Web Inspector Available for: macOS Sonoma and macOS Sequoia Impact: Processing maliciously crafted web content may lead to an unexpected process crash Description: A use-after-free issue was addressed with improved memory management. WebKit Bugzilla: 300926 CVE-2025-43511: 이동하 (Lee Dong Ha of BoB 14th) Additional recognition Safari We would like to acknowledge Mochammad Nosa Shandy Prastyo for their assistance. WebKit We would like to acknowledge Geva Nurgandi Syahputra (gevakun) for their assistance. Safari 26.2 may be obtained from the Mac App Store. All information is also posted on the Apple Security Releases web site: https://support.apple.com/100100. This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEhjkl+zMLNwFiCT1o4Ifiq8DH7PUFAmk8iRYACgkQ4Ifiq8DH 7PXlMw/+JacsQaq5NBjSJNzTR7QknLWZ7uc85tqgfEX9jmCp69AAb1Lr5zxwsFv7 9UhPGUd2e+wPpi6+j8ge6dqEqsD7S6UaoSG0SatiYVSGiHBNOV75CTRvTZW2u523 De3jTFkJYlN1TypLmW2cKfhL+GlYG6Hh2M71htlQ8Ydz0dRS+aECNA+M+cmet5sf 9sEeheHqDB34En+w9ITCJ3B2bTN1hTrJ6fJ8IClxwH+phGV7Uxo1hMKrvB9kx5PE KPRcSqAUuxWG3m6K+0JENe+8Raxm3U4YN6ZaeIyEiuvLMry9S/E3TswT8UpPAPzp RVmvppcYMXG2CM8GeE43AN8akI/3e4INPTW0SE6tvdfpF5C9Hs3LXR+mruaOyl4D 1NSpefe9b+unrr4DhVsFhI8hSi/WSjcLiiXutcrLOs6+sZCCRffxqyKj05rpTR6y 8uH34CreFazMWje/bOb3PRMhDonI6CCjwjtIVlcdr2tnahWWLYLyx5Ig+VjX+mJ/ teWTnrU2T8L13pxcegjZyLAlmKATQ35Yr5VZM6cCZr55lpk8lDHJzru1gMmHO7Ul rcvy6/PkqdHYQytHVdbyRlW4hUqOsh2B03atS6BObTWnUnwGxR6z8YRX2z04ZDDc G4OseNlgDtl6xc4cio+T3vsT7skr/uGq9AMASnUq+tVvr8cnBH8= =dbch -----END PGP SIGNATURE----- _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
