{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-24222", "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "state": "PUBLISHED", "assignerShortName": "apple", "dateReserved": "2025-01-17T00:00:45.004Z", "datePublished": "2025-05-12T21:42:56.449Z", "dateUpdated": "2026-04-02T18:23:16.684Z"}, "containers": {"cna": {"problemTypes": [{"descriptions": [{"lang": "en", "description": "Processing maliciously crafted web content may lead to an unexpected process crash"}]}], "affected": [{"vendor": "Apple", "product": "macOS", "versions": [{"version": "0", "status": "affected", "lessThan": "15.5", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "The issue was addressed with improved memory handling. This issue is fixed in macOS Sequoia 15.5. Processing maliciously crafted web content may lead to an unexpected process crash."}], "references": [{"url": "https://support.apple.com/en-us/122716"}], "providerMetadata": {"orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "shortName": "apple", "dateUpdated": "2026-04-02T18:23:16.684Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-119", "lang": "en", "description": "CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-05-13T20:10:04.620426Z", "id": "CVE-2025-24222", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-14T15:09:22.472Z"}}, {"title": "CVE Program Container", "references": [{"url": "http://seclists.org/fulldisclosure/2025/May/7"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T19:44:10.984Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-24222", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-13T20:10:04.620426Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-119", "description": "CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-13T20:11:39.284Z"}}], "cna": {"affected": [{"vendor": "Apple", "product": "macOS", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "15.5", "versionType": "custom"}]}], "references": [{"url": "https://support.apple.com/en-us/122716"}], "descriptions": [{"lang": "en", "value": "The issue was addressed with improved memory handling. This issue is fixed in macOS Sequoia 15.5. Processing maliciously crafted web content may lead to an unexpected process crash."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Processing maliciously crafted web content may lead to an unexpected process crash"}]}], "providerMetadata": {"orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "shortName": "apple", "dateUpdated": "2025-05-12T21:42:56.449Z"}}}, "cveMetadata": {"cveId": "CVE-2025-24222", "state": "PUBLISHED", "dateUpdated": "2025-05-14T15:09:22.472Z", "dateReserved": "2025-01-17T00:00:45.004Z", "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "datePublished": "2025-05-12T21:42:56.449Z", "assignerShortName": "apple"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*", "matchCriteriaId": "EF1B4AB8-2B51-4EED-BD29-C500C83FAB10", "versionEndExcluding": "15.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The issue was addressed with improved memory handling. This issue is fixed in macOS Sequoia 15.5. Processing maliciously crafted web content may lead to an unexpected process crash."}, {"lang": "es", "value": "El problema se solucion\u00f3 mejorando la gesti\u00f3n de la memoria. Este problema se solucion\u00f3 en macOS Sequoia 15.5. El procesamiento de contenido web malintencionado puede provocar un bloqueo inesperado del proceso."}], "id": "CVE-2025-24222", "lastModified": "2025-11-03T20:17:52.280", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-05-12T22:15:20.083", "references": [{"source": "product-security@apple.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://support.apple.com/en-us/122716"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://seclists.org/fulldisclosure/2025/May/7"}], "sourceIdentifier": "product-security@apple.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-119"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T18:53:33.467360+00:00", "value": {"mitigation_remediation": ["Upgrade macOS to Sequoia\u202f15.5 or later via Software Update.", "Reboot the system after the update to ensure all services use the patched code.", "Avoid browsing untrusted sites until an upgrade is available, and consider using a sandboxed browser or strict content filtering to reduce exposure to malformed web pages."], "summary": {"action": "Patch Immediately", "impact": "Denial of Service \u2013 process crashes caused by malicious web content"}, "threat_synthesis": {"affected_systems": "Apple\u2019s macOS operating system is affected, specifically the Sequoia release series. The issue was fixed in macOS Sequoia 15.5, so versions prior to 15.5 remain vulnerable. Users running Sequoia 15.0\u201315.4 or any earlier minor revisions may experience crashes when encountering malformed web content.", "description_and_impact": "The vulnerability arises from improper memory handling in macOS\u2019s web content rendering processes. When maliciously crafted web content is processed, the application may unexpectedly crash, leading to a denial of service: the affected process terminates unexpectedly, disrupting user sessions and potentially affecting system stability for web\u2011based workloads.", "risk_and_exploitability": "The CVSS score of 6.5 indicates a moderate risk level, while the EPSS < 1% points to a very low likelihood of current exploitation. The vulnerability is not listed in the CISA KEV catalog, suggesting no known large\u2011scale attacks. Attackers would need to supply specially crafted content that a user\u2019s browser processes, so the feasible attack vector is through malicious web pages or compromised web applications. The official fix in 15.5 corrects the memory handling, eliminating the crash vector once upgraded."}}}}, "created": "2026-04-28T19:00:20.872049+00:00", "title": "Malicious Web Content Crash Vulnerability", "updated": "2026-04-28T19:00:20.872059+00:00", "vendors": []}