Big Sleep, Google’s AI cybersecurity agent, has identified five new vulnerabilities in Apple’s Safari WebKit that could lead to memory corruption or a browser crash.
Big Sleep is the result of a collaboration between DeepMind and Google Project Zero, aiming to harness AI to find and report software vulnerabilities. Its most recent identification comes from another large player in the technology world: Apple.
Big Sleep was launched in November 2024, and in the year that has followed it has identified 20 previously unknown security flaws. A major milestone was reached when Big Sleep identified and prevented a zero-day SQLite vulnerability (CVE-2025-6965). This proved that AI had a real role to play in securing codebases in practice, not just in theory.
The agent’s most recently identified flaws affect Apple’s Safari web browser, specifically, the WebKit. The vulnerabilities are:
- CVE-2025-43429 – A buffer overflow vulnerability
- CVE-2025-43430 – Unspecified vulnerability that could lead to unexpected process crashes
- CVE-2025-43431 – May lead to memory corruption
- CVE-2025-43433 – May lead to memory corruption
- CVE-2025-43434 – UAF (Use-after-free) vulnerability that could lead to an unexpected Safari crash
Apple has released patches for all five vulnerabilities as part of the 26.1 update for iOS, iPadOS, macOS, visionOS, and Tahoe. Beyond the five vulnerabilities already mentioned, this update aims to patch issues including privacy breaches, app crashes, and data leak risks. In total, the update addressed over 50 issues affecting core components including WebKit, the Kernel, and Accessibility features.
At the time of writing, none of these vulnerabilities have been exploited in the wild. Provided users update their systems as required, this attack should never be exploited in the wild.
The Bigger Picture
It is significant that an AI tool has been so effective in identifying these vulnerabilities, particularly in a company like Apple, who pride themselves on being secure.
Last month we reported on Apple’s own bug bounty program which now offers up to $5M for identifying flaws. It might have been a better look if Apple had identified these flaws themselves, rather than a rival company getting the plaudits.
Both Google and Apple are key players in taking AI technology and harnessing it to drive improvements; using AI to detect vulnerabilities is a great way of doing this.
While each company will want to prove that they have a better grasp of AI that the other, there is a risk that if this competition gets too heated, then everyone loses. Eroding trust in security because of AI, could have negative repercussions across the industry.
