What is the CVSS score of CVE-2025-43529?

CVE-2025-43529 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Apple are affected by CVE-2025-43529?

CVE-2025-43529 is a critical WebKit memory corruption vulnerability in Safari and Apple's operating systems (iOS, macOS, tvOS, visionOS, watchOS) that enables remote code execution when users visit…. A patch is available.

Is CVE-2025-43529 being actively exploited?

Yes, CVE-2025-43529 is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, confirming active in-the-wild exploitation. Immediate patching is required.

How to fix or mitigate CVE-2025-43529?

Within 24 hours: Issue urgent communication to all users instructing them to avoid visiting untrusted websites and to disable Safari on iOS devices running versions prior to iOS 26 if alternative browsers available; inventory all affected Apple devices by OS version and Safari version. Within 7 days: Implement network-level controls to block known malicious domains associated with this campaign (coordinate with Apple security advisories and threat intelligence feeds); consider restricting Safari usage via MDM policies to trusted sites only. Within 30 days: Monitor Apple security updates hourly for patch release; prepare rapid deployment procedures for Safari and OS updates when available; conduct forensic analysis on iOS devices prior to iOS 26 to detect potential compromise indicators.

Apple CVE-2025-43529

HIGH

Use After Free (CWE-416)

2025-12-17 product-security@apple.com

RCE Use After Free Memory Corruption Apple Red Hat Suse

8.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch released

Apr 06, 2026 - 08:30 nvd

Patch available

Added to CISA KEV

Apr 03, 2026 - 14:17 cisa

CISA KEV

Analysis Generated

Apr 02, 2026 - 19:37 vuln.today

CVE Published

Dec 17, 2025 - 21:16 nvd

HIGH 8.8

DescriptionNVD

A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 26.2, iOS 18.7.3 and iPadOS 18.7.3, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, tvOS 26.2, visionOS 26.2, watchOS 26.2. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26. CVE-2025-14174 was also issued in response to this report.

AnalysisAI

WebKit arbitrary code execution via use-after-free memory corruption affects Safari 26.2, iOS/iPadOS 18.7.3 through 26.2, macOS Tahoe 26.2, tvOS 26.2, visionOS 26.2, and watchOS 26.2, allowing remote attackers to execute arbitrary code by convincing users to visit malicious websites. This vulnerability is confirmed actively exploited (CISA KEV) in extremely sophisticated targeted attacks against specific individuals on iOS versions prior to iOS 26, per Apple's security bulletin. EPSS score of 0.12% (32nd percentile) significantly understates real-world risk given confirmed exploitation. Related vulnerability CVE-2025-14174 was issued for the same exploitation campaign, suggesting a complex attack chain targeting Apple ecosystem users.

Technical ContextAI

This vulnerability stems from a use-after-free condition (CWE-416) in WebKit, Apple's browser engine that powers Safari and in-app web content rendering across the entire Apple ecosystem. Use-after-free vulnerabilities occur when code continues to use a memory pointer after the referenced memory has been deallocated, creating opportunities for attackers to manipulate freed memory regions and redirect program execution flow. In WebKit's case, processing specially crafted web content triggers premature deallocation of objects that are subsequently referenced during rendering or JavaScript execution. The cross-platform nature of WebKit means this single memory management flaw propagates across Safari on macOS, mobile Safari on iOS/iPadOS, and embedded WebKit instances in tvOS, watchOS, and visionOS applications. Apple's acknowledgment of exploitation specifically on iOS versions before iOS 26 indicates the vulnerability likely resided in WebKit's mobile implementation for an extended period before discovery.

RemediationAI

Immediately update all Apple devices to patched versions released by Apple in their coordinated security update. Install Safari 26.2 on macOS systems via Software Update or direct download from support.apple.com/en-us/125884. Update iOS and iPadOS devices to version 18.7.3 (advisory support.apple.com/en-us/125885) or version 26.2 (advisory support.apple.com/en-us/125886) depending on device compatibility. Update macOS Tahoe to version 26.2 per support.apple.com/en-us/125889. Update tvOS to 26.2 (support.apple.com/en-us/125890), visionOS to 26.2 (support.apple.com/en-us/125891), and watchOS to 26.2 (support.apple.com/en-us/125892). No effective workarounds exist for WebKit vulnerabilities given the engine's deep integration across the operating system; disabling JavaScript would break legitimate functionality while not fully mitigating use-after-free conditions that may trigger during HTML/CSS processing. Prioritize iOS/iPadOS updates for high-value individuals given confirmed exploitation on mobile platforms. Organizations should verify update deployment through mobile device management systems and treat this as an emergency patch cycle given active exploitation.