CVE-2025-43376 - Vulnerability Details

A logic issue was addressed with improved state management. This issue is fixed in Safari 26, tvOS 26, watchOS 26, iOS 26 and iPadOS 26, visionOS 26. A remote attacker may be able to view leaked DNS queries with Private Relay turned on.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Apple	Ios Ipados Iphone Os Safari Tvos Visionos Watchos

Configuration 1 [-]

OR	cpe:2.3:a:apple:safari::::::::
	cpe:2.3:o:apple:ipados::::::::
	cpe:2.3:o:apple:iphone_os::::::::
	cpe:2.3:o:apple:visionos::::::::
	cpe:2.3:o:apple:watchos::::::::

No data.

References

Link	Providers
https://support.apple.com/en-us/125108
https://support.apple.com/en-us/125113
https://support.apple.com/en-us/125114
https://support.apple.com/en-us/125115
https://support.apple.com/en-us/125116

History

Wed, 10 Dec 2025 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 05 Nov 2025 17:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apple iphone Os
Weaknesses		NVD-CWE-noinfo
CPEs		cpe:2.3:a:apple:safari:::::::: cpe:2.3:o:apple:ipados:::::::: cpe:2.3:o:apple:iphone_os:::::::: cpe:2.3:o:apple:visionos:::::::: cpe:2.3:o:apple:watchos::::::::
Vendors & Products		Apple iphone Os
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}`

Tue, 04 Nov 2025 16:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apple Apple ios Apple ipados Apple safari Apple tvos Apple visionos Apple watchos
Vendors & Products		Apple Apple ios Apple ipados Apple safari Apple tvos Apple visionos Apple watchos

Tue, 04 Nov 2025 01:45:00 +0000

Type	Values Removed	Values Added
Description		A logic issue was addressed with improved state management. This issue is fixed in Safari 26, tvOS 26, watchOS 26, iOS 26 and iPadOS 26, visionOS 26. A remote attacker may be able to view leaked DNS queries with Private Relay turned on.
References		https://support.apple.com/en-us/125108 https://support.apple.com/en-us/125113 https://support.apple.com/en-us/125114 https://support.apple.com/en-us/125115 https://support.apple.com/en-us/125116

MITRE

Status: PUBLISHED

Assigner: apple

Published: 2025-11-04T01:16:17.454Z

Updated: 2025-12-10T20:46:54.199Z

Reserved: 2025-04-16T15:24:37.115Z

Link: CVE-2025-43376

Vulnrichment

Updated: 2025-12-10T20:46:08.520Z

NVD

Status : Modified

Published: 2025-11-04T02:15:44.710

Modified: 2025-12-10T21:16:04.007

Link: CVE-2025-43376

Redhat

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object