SB20250916326 - Multiple vulnerabilities in WebKitGTK+ and WPE WebKit

Description

This security bulletin contains information about 5 secuirty vulnerabilities.

1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2025-43356)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to missing permissions checks. A remote attacker can trick the victim into visiting a specially crafted website and gain access to sensor information without user consent.

2) Use after free (CVE-ID: CVE-2025-43368)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a use-after-free error in WebKit Process Model. A remote attacker can trick the victim into opening a specially crafted website and crash the browser.

3) Improper access control (CVE-ID: CVE-2025-43342)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper access restrictions in WebKit. A remote attacker can trick the victim into opening a specially crafted website and crash the browser.

4) Memory corruption (CVE-ID: CVE-2025-43343)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error in WebKit. A remote attacker can trick the victim into opening a specially crafted website and crash the browser. 

5) Memory corruption (CVE-ID: CVE-2025-43272)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error in WebKit. A remote attacker can trick the victim into opening a specially crafted website and crash the browser. 

Remediation

Install update from vendor's website.

References

• https://support.apple.com/en-us/125113
• https://webkitgtk.org/security/WSA-2025-0006.html
• https://support.apple.com/en-us/125110
• https://webkitgtk.org/security/WSA-2025-0007.html