What is the CVSS score of CVE-2025-43216?

CVE-2025-43216 has a CVSS 3.1 base score of 6.5 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. EPSS exploitation probability: 0.1%.

Is there a patch available for CVE-2025-43216?

Yes, a patch is available for CVE-2025-43216. Update the affected software to the latest version immediately.

iOS CVE-2025-43216

MEDIUM

Use After Free (CWE-416)

2025-07-30 product-security@apple.com

Denial Of Service Use After Free Apple iOS macOS Red Hat Ipados Iphone Os Safari Tvos Visionos Watchos Suse

6.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Patch released

Apr 06, 2026 - 08:30 nvd

Patch available

Analysis Generated

Apr 02, 2026 - 19:37 vuln.today

CVE Published

Jul 30, 2025 - 00:15 nvd

MEDIUM 6.5

DescriptionNVD

A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 18.6, iOS 18.6 and iPadOS 18.6, iPadOS 17.7.9, macOS Sequoia 15.6, tvOS 18.6, visionOS 2.6, watchOS 11.6. Processing maliciously crafted web content may lead to an unexpected Safari crash.

AnalysisAI

Safari and Apple operating systems contain a use-after-free vulnerability in web content processing that causes unexpected application crashes when users visit maliciously crafted websites. The flaw affects Safari 18.5 and earlier, iOS 18.5 and earlier, iPadOS 18.5 and earlier (also iPadOS 17.7.8 and earlier), macOS Sequoia 15.5 and earlier, tvOS 18.5 and earlier, visionOS 2.5 and earlier, and watchOS 11.5 and earlier. Remote attackers can trigger a denial-of-service condition requiring only user interaction to visit a malicious page, with no elevated privileges required. Apple has released patches for all affected platforms; the EPSS score of 0.10% (28th percentile) indicates low real-world exploitation probability despite the accessibility of the attack vector.

Technical ContextAI

The vulnerability stems from improper memory management in WebKit's web content rendering engine, classified as CWE-416 (use-after-free). When processing specially crafted web content, the engine fails to properly manage object lifecycles, allowing a freed memory region to be dereferenced during subsequent rendering operations. This memory safety issue affects the core web rendering path that processes HTML, CSS, and JavaScript in Safari across all Apple platforms (macOS, iOS, iPadOS, tvOS, visionOS, and watchOS). The use-after-free occurs within the rendering pipeline that handles web page layout and display, making it reachable through standard web browsing without special plugins or extensions.

RemediationAI

Users should immediately update to the patched versions: Safari 18.6 or later, iOS 18.6 or later, iPadOS 18.6 or later (or iPadOS 17.7.9 or later for devices not eligible for iPadOS 18), macOS Sequoia 15.6 or later, tvOS 18.6 or later, visionOS 2.6 or later, and watchOS 11.6 or later. These updates address the use-after-free issue with improved memory management in WebKit. No workaround is available for users unable to immediately patch; the primary mitigation is to avoid visiting untrusted websites until systems are updated. Detailed patch release notes and update instructions are provided in Apple's official security advisories at support.apple.com (references 124147-124155). Enterprise environments should prioritize patch deployment for systems where users browse untrusted content.