CVE-2025-43529

EUVD-2025-203963

17.12.2025, 21:16

A use-after-free issue was addressed with improved memory management. This issue is fixed in watchOS 26.2, Safari 26.2, iOS 18.7.3 and iPadOS 18.7.3, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, visionOS 26.2, tvOS 26.2. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26. CVE-2025-14174 was also issued in response to this report.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	8.8 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CISA-ADP	ADP	8.8 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 8%

Affected Products (NVD)

Vendor	Product	Version
apple	safari	𝑥 < 26.2
apple	ipados	𝑥 < 18.7.3
apple	ipados	26.0 ≤ 𝑥 < 26.2
apple	iphone_os	𝑥 < 18.7.3
apple	iphone_os	26.0 ≤ 𝑥 < 26.2
apple	macos	𝑥 < 26.2
apple	tvos	𝑥 < 26.2
apple	visionos	𝑥 < 26.2
apple	watchos	𝑥 < 26.2

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

webkit2gtk

bookworm	2.50.4-1~deb12u1 ignored
bookworm (security)	2.50.4-1~deb12u1 fixed
bullseye	vulnerable
bullseye (security)	2.50.4-1~deb11u1 fixed
forky	2.50.5-1 fixed
sid	2.50.5-1 fixed
trixie	2.50.4-1~deb13u1 ignored
trixie (security)	2.50.4-1~deb13u1 fixed

wpewebkit

bookworm	ignored
bullseye	vulnerable
bullseye (security)	vulnerable
forky	2.50.5-1 fixed
sid	2.50.5-1 fixed
trixie	ignored

Ubuntu Releases

Ubuntu Product

Codename

webkit2gtk

bionic	ignored
focal	ignored
jammy	Fixed 2.50.4-0ubuntu0.22.04.1 released
noble	Fixed 2.50.4-0ubuntu0.24.04.1 released
plucky	Fixed 2.50.4-0ubuntu0.25.04.1 released
questing	Fixed 2.50.4-0ubuntu0.25.10.1 released
xenial	ignored

webkitgtk

bionic	ignored
jammy	dne
noble	dne
plucky	dne
questing	dne
xenial	ignored

qtwebkit-source

bionic	ignored
jammy	dne
noble	dne
plucky	dne
questing	dne
xenial	ignored

qtwebkit-opensource-src

bionic	ignored
focal	ignored
jammy	ignored
noble	ignored
plucky	dne
questing	dne
xenial	ignored

wpewebkit

focal	ignored
jammy	ignored
noble	dne
plucky	dne
questing	dne

Common Weakness Enumeration

CWE-416 - Use After Free
Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.

Vulnerability Media Exposure

References

https://support.apple.com/en-us/125884

https://support.apple.com/en-us/125885

https://support.apple.com/en-us/125886

https://support.apple.com/en-us/125889

https://support.apple.com/en-us/125890

https://support.apple.com/en-us/125891

https://support.apple.com/en-us/125892

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-43529