CVE-2025-46282

Vulnerability

Overview

CVE-2025-46282 is a permissions checking flaw in Apple Safari and macOS Tahoe. The issue was addressed with additional permissions checks, as noted in the security content updates for Safari 26.2 and macOS Tahoe 26.2 [1][2]. The root cause is insufficient validation of permissions, which could allow an app to access sensitive user data without proper authorization.

Exploitation and

Attack Surface

Exploitation of this vulnerability requires an app to be running on the affected system. The attack surface is local, meaning an attacker would require the attacker to have the ability to run a malicious app on the device. No user interaction beyond installing or running the app is needed. The vulnerability is present in both Safari and macOS Tahoe, meaning it affects users of these platforms [1][2].

Impact

If exploited, an attacker could gain access to sensitive user data. The official description states that an app may be able to access sensitive user data, and the reference for macOS Tahoe specifies that sensitive payment tokens could be exposed [1]. This could lead to financial fraud or identity theft if payment information is compromised.

Mitigation

Apple has released patches for this vulnerability in Safari 26. Safari 26.2 and macOS Tahoe 26.2, released on December 12, 2025 [1][2]. Users are strongly advised to update their software to the latest versions to protect against potential exploitation. There are no known workarounds, and the vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date.