CVE-2025-43529 is a use-after-free vulnerability in WebKit, the browser engine used by Safari and all WebKit-based browsers on Apple platforms. A use-after-free occurs when software continues to reference memory that has already been freed, which can lead to memory corruption and remote code execution (RCE) when processing crafted content. This vulnerability is actively exploited in the wild.

The vulnerability affects Apple devices and OS components that use WebKit, including:

1. iOS and iPadOS (pre-26.2/18.7.3)
2. macOS Tahoe (pre-26.2)
3. tvOS, watchOS, visionOS (pre-26.2)
4. Safari browser on those platforms

In practice, this means many iPhones, iPads, Macs, Apple TVs, Apple Watches, and Vision Pro devices running older OS versions are vulnerable.

How attackers exploit this vulnerability (attack vector)

An attacker crafts malicious HTML/CSS/JavaScript that triggers the use-after-free inside WebKit while the victim’s browser renders the page. This causes memory to be corrupt in a controlled way, enabling the attacker to execute arbitrary code in the context of the browser process.

• Impact: Successfully exploited, this can lead to:

• Remote Code Execution (RCE) — the attacker runs code on the device as the browser user
• Privilege misuse if combined with other flaws
• Further compromise of the device via chained exploits

CERTVU recommend:

Patch Immediately: install the security updates Apple released (these address CVE-2025-43529):

• iOS & iPadOS: 18.7.3, 26.2 or later
• macOS Tahoe: 26.2 or later
• tvOS, watchOS, visionOS: 26.2 or later
• Safari: 26.2 or later