What is Apple WebKit / JavaScriptCore?
WebKit is Apple's open-source browser engine that powers Safari on all Apple platforms. JavaScriptCore (JSC) is WebKit's JavaScript engine, which includes a JIT (Just-In-Time) compiler that translates frequently executed JavaScript into native machine code. Apple's App Store policy requires all iOS browsers to use WebKit — meaning this vulnerability affects every browser on every iPhone and iPad regardless of which browser the user opens.
Overview
CVE-2025-31277 is a buffer overflow vulnerability (CWE-119) in WebKit's JavaScriptCore JIT compiler that allows an attacker to achieve memory corruption and code execution by tricking a user into visiting a malicious web page. The vulnerability is the initial entry-point RCE component of the DarkSword iOS exploit chain — a sophisticated six-CVE attack toolkit used by at least three distinct threat actors, including a Turkish commercial surveillance vendor (PARS Defense) and a suspected Russian espionage group (UNC6353). CISA added the vulnerability to the KEV catalog on March 20, 2026.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| iOS / iPadOS | 18.4 – 18.5 | 18.6 |
| macOS Sequoia | 15.0 – 15.5 | 15.6 |
| Safari | ≤ 18.5 | 18.6 |
| watchOS | ≤ 11.5 | 11.6 |
| tvOS | ≤ 18.5 | 18.6 |
| visionOS | < 2.6 | 2.6 |
Devices on iOS 18.6+ used a different DarkSword chain component (CVE-2025-43529, WebKit UAF) for the entry-point RCE.
Technical Details
The buffer overflow (CWE-119) occurs in JavaScriptCore's JIT compilation path. During JIT optimization of JavaScript code, a crafted web page triggers a memory overflow via out-of-bounds operations in the engine's type inference or compilation stages. The exploit uses standard JSC exploitation primitives (fakeobj/addrof) to establish arbitrary read/write capability within the browser process.
CVE-2025-31277 provides the initial RCE within the WebKit renderer sandbox. It is the first step of the full DarkSword chain:
- CVE-2025-31277 (or CVE-2025-43529 for iOS 18.6+ targets): WebKit/JSC RCE → code execution in renderer sandbox
- CVE-2025-14174 (WebGL/ANGLE zero-day): Renderer sandbox escape
- CVE-2025-43510 / CVE-2025-43520: Kernel privilege escalation via shared-memory improper locking
- CVE-2026-20700 (dyld zero-day): PAC (Pointer Authentication Code) bypass for full code signing circumvention
The full six-CVE chain achieves complete device takeover, bypassing all iOS security mitigations including sandbox, PAC, and ASLR.
Discovery
Discovered by Yuhao Hu, Yan Kang, Chenggang Wu, and Xiaojie Wei; reported to Apple by Google Threat Intelligence Group (GTIG). The vulnerability was identified as part of GTIG's investigation into the DarkSword exploit chain.
Exploitation Context
At least three distinct threat actors exploited the DarkSword chain, which incorporated CVE-2025-31277:
- UNC6748: Initial DarkSword operator; ran watering hole attacks via a fake Snapchat-themed site; delivered GHOSTKNIFE backdoor; targets in Saudi Arabia and Turkey
- PARS Defense: Turkish commercial surveillance vendor; deployed against targets in Turkey and Malaysia
- UNC6353: Suspected Russian espionage group; watering hole campaigns against Ukrainian users; delivered GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER malware families via the parallel Coruna exploit kit
The eight-month gap between Apple's July 2025 patch and the March 2026 CISA KEV listing reflects that the full DarkSword chain was being actively used in targeted espionage for months — consistent with mercenary spyware or nation-state operator toolchains that are carefully concealed.
Remediation
- Update all Apple devices to iOS/iPadOS 18.6 (or later), macOS Sequoia 15.6+, Safari 18.6+, watchOS 11.6+, tvOS 18.6+. The CISA deadline was April 3, 2026.
- Apply iOS 18.7.x or later for complete DarkSword chain protection — later releases addressed CVE-2025-43529, which targets iOS 18.6+ devices as an alternate entry point.
- Enable Lockdown Mode for high-risk individuals (journalists, government officials, activists, executives) — this significantly reduces the WebKit attack surface by disabling JIT compilation.
- Enable automatic updates on all managed Apple devices to minimize the window between patch release and deployment.
- Treat unpatched iOS devices as potentially compromised if used by high-value targets during the July 2025 – March 2026 window of active DarkSword exploitation.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2025-31277 |
| Vendor / Product | Apple — Multiple Products |
| NVD Published | 2025-07-30 |
| NVD Last Modified | 2026-04-03 |
| CVSS 3.1 Score | 8.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| Severity | HIGH |
| CWE | CWE-119 find similar ↗ |
| CISA KEV Added | 2026-03-20 |
| CISA KEV Deadline | 2026-04-03 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2025-07-30 | Apple releases iOS 18.6 / macOS 15.6 / Safari 18.6 with fix |
| 2026-03-20 | Added to CISA Known Exploited Vulnerabilities catalog (DarkSword chain disclosed) |
| 2026-04-03 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Apple Security Advisory — iOS 18.6 and iPadOS 18.6 | Vendor Advisory |
| Apple Security Advisory — macOS Sequoia 15.6 | Vendor Advisory |
| Apple Security Advisory — Safari 18.6 | Vendor Advisory |
| NVD — CVE-2025-31277 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| Google GTIG — DarkSword iOS Exploit Chain | Security Research |
| DarkSword iOS Exploit Kit Uses 6 Flaws in Targeted Spyware Attacks | News |