Google’s AI ‘Big Sleep’ Uncovers Critical Safari WebKit Vulnerabilities
In a significant advancement for cybersecurity, Google’s artificial intelligence (AI) agent, known as Big Sleep, has identified five critical security vulnerabilities within Apple’s Safari web browser’s WebKit component. These flaws, if exploited, could lead to browser crashes or memory corruption, posing substantial risks to users.
Detailed Overview of the Vulnerabilities:
1. CVE-2025-43429: This buffer overflow vulnerability can cause unexpected process crashes when processing maliciously crafted web content. Apple has addressed this issue through improved bounds checking.
2. CVE-2025-43430: An unspecified flaw that may result in unexpected process crashes upon handling malicious web content. The fix involves enhanced state management.
3. CVE-2025-43431 and CVE-2025-43433: These vulnerabilities can lead to memory corruption when processing malicious web content. Apple has mitigated these risks by improving memory handling.
4. CVE-2025-43434: A use-after-free vulnerability that could cause Safari to crash unexpectedly when dealing with malicious web content. Improved state management has been implemented to resolve this issue.
Apple’s Response and Patch Deployment:
On November 4, 2025, Apple released patches to address these vulnerabilities across multiple platforms, including:
– iOS 26.1 and iPadOS 26.1: Compatible with iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later.
– macOS Tahoe 26.1: For Macs running macOS Tahoe.
– tvOS 26.1: Applicable to Apple TV 4K (2nd generation and later).
– visionOS 26.1: For all models of Apple Vision Pro.
– watchOS 26.1: Compatible with Apple Watch Series 6 and later.
– Safari 26.1: For Macs running macOS Sonoma and macOS Sequoia.
About Google’s Big Sleep:
Formerly known as Project Naptime, Big Sleep is an AI agent developed through a collaboration between Google’s DeepMind and Project Zero teams. Launched in 2024, its primary objective is to automate the discovery of software vulnerabilities, enhancing cybersecurity measures.
Previous Achievements of Big Sleep:
Earlier in 2025, Big Sleep identified a critical security flaw in the SQLite database engine, designated as CVE-2025-6965 with a CVSS score of 7.2. This vulnerability was at significant risk of exploitation by malicious actors.
Implications and Recommendations:
While there is no evidence that these newly discovered vulnerabilities have been exploited in the wild, it is crucial for users to update their devices to the latest software versions promptly. Regular updates ensure optimal protection against potential security threats.
