CVE-2025-43529

HIGH
2025-12-17 [email protected]
8.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch Released
Apr 06, 2026 - 08:30 nvd
Patch available
Added to CISA KEV
Apr 03, 2026 - 14:17 cisa
CISA KEV
Analysis Generated
Apr 02, 2026 - 19:37 vuln.today
CVE Published
Dec 17, 2025 - 21:16 nvd
HIGH 8.8

Tags

Apple Use After Free RCE Memory Corruption Redhat Suse

Description

A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 26.2, iOS 18.7.3 and iPadOS 18.7.3, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, tvOS 26.2, visionOS 26.2, watchOS 26.2. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26. CVE-2025-14174 was also issued in response to this report.

Analysis

WebKit arbitrary code execution via use-after-free memory corruption affects Safari 26.2, iOS/iPadOS 18.7.3 through 26.2, macOS Tahoe 26.2, tvOS 26.2, visionOS 26.2, and watchOS 26.2, allowing remote attackers to execute arbitrary code by convincing users to visit malicious websites. This vulnerability is confirmed actively exploited (CISA KEV) in extremely sophisticated targeted attacks against specific individuals on iOS versions prior to iOS 26, per Apple's security bulletin. EPSS score of 0.12% (32nd percentile) significantly understates real-world risk given confirmed exploitation. Related vulnerability CVE-2025-14174 was issued for the same exploitation campaign, suggesting a complex attack chain targeting Apple ecosystem users.

Technical Context

This vulnerability stems from a use-after-free condition (CWE-416) in WebKit, Apple's browser engine that powers Safari and in-app web content rendering across the entire Apple ecosystem. Use-after-free vulnerabilities occur when code continues to use a memory pointer after the referenced memory has been deallocated, creating opportunities for attackers to manipulate freed memory regions and redirect program execution flow. In WebKit's case, processing specially crafted web content triggers premature deallocation of objects that are subsequently referenced during rendering or JavaScript execution. The cross-platform nature of WebKit means this single memory management flaw propagates across Safari on macOS, mobile Safari on iOS/iPadOS, and embedded WebKit instances in tvOS, watchOS, and visionOS applications. Apple's acknowledgment of exploitation specifically on iOS versions before iOS 26 indicates the vulnerability likely resided in WebKit's mobile implementation for an extended period before discovery.

Affected Products

Affected products span Apple's entire ecosystem prior to version 26.2 releases and specific iOS/iPadOS 18.7.3 versions. Safari versions before 26.2 on all supported macOS platforms contain the vulnerability. iOS and iPadOS are affected in two version ranges: versions before 18.7.3 and versions before 26.2, with Apple specifically confirming exploitation occurred on iOS versions prior to iOS 26. macOS Tahoe versions before 26.2 are vulnerable through both standalone Safari and system WebKit frameworks. tvOS versions before 26.2, visionOS versions before 26.2, and watchOS versions before 26.2 are all affected through their respective WebKit implementations used for in-app web content rendering. Complete vendor advisories available at support.apple.com/en-us/125884 through 125892 provide platform-specific affected version details and build numbers.

Remediation

Immediately update all Apple devices to patched versions released by Apple in their coordinated security update. Install Safari 26.2 on macOS systems via Software Update or direct download from support.apple.com/en-us/125884. Update iOS and iPadOS devices to version 18.7.3 (advisory support.apple.com/en-us/125885) or version 26.2 (advisory support.apple.com/en-us/125886) depending on device compatibility. Update macOS Tahoe to version 26.2 per support.apple.com/en-us/125889. Update tvOS to 26.2 (support.apple.com/en-us/125890), visionOS to 26.2 (support.apple.com/en-us/125891), and watchOS to 26.2 (support.apple.com/en-us/125892). No effective workarounds exist for WebKit vulnerabilities given the engine's deep integration across the operating system; disabling JavaScript would break legitimate functionality while not fully mitigating use-after-free conditions that may trigger during HTML/CSS processing. Prioritize iOS/iPadOS updates for high-value individuals given confirmed exploitation on mobile platforms. Organizations should verify update deployment through mobile device management systems and treat this as an emergency patch cycle given active exploitation.

Priority Score

94
Low Medium High Critical
KEV: +50
EPSS: +0.1
CVSS: +44
POC: 0

Vendor Status

Share

CVE-2025-43529 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy