What is the CVSS score of CVE-2025-43536?

CVE-2025-43536 has a CVSS 3.1 base score of 4.3 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L. EPSS exploitation probability: 0.1%.

Is there a patch available for CVE-2025-43536?

Yes, a patch is available for CVE-2025-43536. Update the affected software to the latest version immediately.

iOS CVE-2025-43536

MEDIUM

Use After Free (CWE-416)

2025-12-17 product-security@apple.com

Denial Of Service Use After Free Apple iOS macOS Red Hat Ipados Iphone Os Safari Suse

4.3

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

Low

Lifecycle Timeline

Patch released

Apr 06, 2026 - 08:30 nvd

Patch available

Analysis Generated

Apr 02, 2026 - 19:37 vuln.today

CVE Published

Dec 17, 2025 - 21:16 nvd

MEDIUM 4.3

DescriptionNVD

A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 26.2, iOS 18.7.3 and iPadOS 18.7.3, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2. Processing maliciously crafted web content may lead to an unexpected process crash.

AnalysisAI

Use-after-free memory corruption in Apple's WebKit rendering engine allows remote attackers to crash Safari and iOS/iPadOS applications by processing maliciously crafted web content, requiring only user interaction (page visit) and no authentication. The vulnerability affects Safari 26.2, iOS 18.7.3 and iOS 26.2, iPadOS 18.7.3 and iPadOS 26.2, and macOS Tahoe 26.2 and earlier versions. With an EPSS score of 0.06% and no public exploit confirmed, this represents a low real-world exploitation priority despite the moderate CVSS 4.3 severity rating, with impact limited to denial of service through process termination.

Technical ContextAI

The vulnerability stems from a use-after-free condition (CWE-416) in WebKit, Apple's rendering engine shared across Safari, iOS Safari, and other bundled web-based applications. Use-after-free occurs when memory is accessed after it has been freed, leading to potential memory corruption. In this case, improved memory management was implemented to prevent premature deallocation of web content resources during processing. The vulnerability affects all major Apple platforms via their CPE identifiers: Apple Safari (cpe:2.3:a:apple:safari), iPhone OS (cpe:2.3:o:apple:iphone_os), iPadOS (cpe:2.3:o:apple:ipados), and macOS (cpe:2.3:o:apple:macos). The attack vector requires network access to serve or deliver malicious web content, and the user interaction requirement (UI:R in CVSS vector) mandates that a user visit or interact with the malicious page to trigger the memory corruption.

RemediationAI

Vendor-released patches are available: update Safari to version 26.2 or later, iOS to version 18.7.3 or later or iOS 26.2 or later, iPadOS to version 18.7.3 or later or iPadOS 26.2 or later, and macOS to Tahoe 26.2 or later. Users should enable automatic security updates where possible, or manually update through Settings > General > Software Update on iOS/iPadOS and System Settings > General > Software Update on macOS. For Safari users on macOS, updates are bundled with macOS system updates. No workarounds are documented; patching is the primary remediation path. Refer to the official Apple security advisories at https://support.apple.com/en-us/125884, https://support.apple.com/en-us/125885, https://support.apple.com/en-us/125886, and https://support.apple.com/en-us/125892 for device-specific guidance.