Home / mailings APPLE-SA-12-12-2025-9 Safari 26.2
Posted on 13 December 2025
Apple Security-announceAPPLE-SA-12-12-2025-9 Safari 26.2
Safari 26.2 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/125892.
Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.
Safari
Available for: macOS Sonoma and macOS Sequoia
Impact: On a Mac with Lockdown Mode enabled, web content opened via a
file URL may be able to use Web APIs that should be restricted
Description: This issue was addressed with improved URL validation.
CVE-2025-43526: Andreas Jaegersberger & Ro Achterberg of Nosebeard Labs
Safari Downloads
Available for: macOS Sonoma and macOS Sequoia
Impact: A download's origin may be incorrectly associated
Description: This is a vulnerability in open source code and Apple
Software is among the affected projects. The CVE-ID was assigned by a
third party. Learn more about the issue and CVE-ID at cve.org.
CVE-2024-8906: @retsew0x01
WebKit
Available for: macOS Sonoma and macOS Sequoia
Impact: An app may be able to access sensitive user data
Description: The issue was addressed with additional permissions checks.
WebKit Bugzilla: 295941
CVE-2025-46282: Wojciech Regula of SecuRing (wojciechregula.blog)
WebKit
Available for: macOS Sonoma and macOS Sequoia
Impact: Processing maliciously crafted web content may lead to an
unexpected Safari crash
Description: A type confusion issue was addressed with improved state
handling.
WebKit Bugzilla: 301257
CVE-2025-43541: Hossein Lotfi (@hosselot) of Trend Micro Zero Day
Initiative
WebKit
Available for: macOS Sonoma and macOS Sequoia
Impact: Processing maliciously crafted web content may lead to an
unexpected process crash
Description: A use-after-free issue was addressed with improved memory
management.
WebKit Bugzilla: 301726
CVE-2025-43536: Nan Wang (@eternalsakura13)
WebKit
Available for: macOS Sonoma and macOS Sequoia
Impact: Processing maliciously crafted web content may lead to an
unexpected process crash
Description: The issue was addressed with improved memory handling.
WebKit Bugzilla: 300774
WebKit Bugzilla: 301338
CVE-2025-43535: Google Big Sleep, Nan Wang (@eternalsakura13)
WebKit
Available for: macOS Sonoma and macOS Sequoia
Impact: Processing maliciously crafted web content may lead to an
unexpected process crash
Description: A buffer overflow issue was addressed with improved memory
handling.
WebKit Bugzilla: 301371
CVE-2025-43501: Hossein Lotfi (@hosselot) of Trend Micro Zero Day
Initiative
WebKit
Available for: macOS Sonoma and macOS Sequoia
Impact: Processing maliciously crafted web content may lead to an
unexpected process crash
Description: A race condition was addressed with improved state
handling.
WebKit Bugzilla: 301940
CVE-2025-43531: Phil Pizlo of Epic Games
WebKit
Available for: macOS Sonoma and macOS Sequoia
Impact: Processing maliciously crafted web content may lead to arbitrary
code execution. Apple is aware of a report that this issue may have been
exploited in an extremely sophisticated attack against specific targeted
individuals on versions of iOS before iOS 26. CVE-2025-14174 was also
issued in response to this report.
Description: A use-after-free issue was addressed with improved memory
management.
WebKit Bugzilla: 302502
CVE-2025-43529: Google Threat Analysis Group
WebKit
Available for: macOS Sonoma and macOS Sequoia
Impact: Processing maliciously crafted web content may lead to memory
corruption. Apple is aware of a report that this issue may have been
exploited in an extremely sophisticated attack against specific targeted
individuals on versions of iOS before iOS 26. CVE-2025-43529 was also
issued in response to this report.
Description: A memory corruption issue was addressed with improved
validation.
WebKit Bugzilla: 303614
CVE-2025-14174: Apple and Google Threat Analysis Group
WebKit Web Inspector
Available for: macOS Sonoma and macOS Sequoia
Impact: Processing maliciously crafted web content may lead to an
unexpected process crash
Description: A use-after-free issue was addressed with improved memory
management.
WebKit Bugzilla: 300926
CVE-2025-43511: =EC=9D=B4=EB=8F=99=ED=95=98 (Lee Dong Ha of BoB 14th)
Additional recognition
Safari
We would like to acknowledge Mochammad Nosa Shandy Prastyo for their
assistance.
WebKit
We would like to acknowledge Geva Nurgandi Syahputra (gevakun) for their
assistance.
Safari 26.2 may be obtained from the Mac App Store.
All information is also posted on the Apple Security Releases
web site: https://support.apple.com/100100.
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
