Apple WebKit Use-After-Free (Arbitrary Code Execution Zero-Day)

Overview

CVE-2025-43529 is a use-after-free vulnerability in WebKit, the browser engine that powers Safari and, on iOS and iPadOS, every third-party browser as well (Apple requires all iOS browsers to use WebKit). Processing maliciously crafted web content can trigger access to freed memory and lead to arbitrary code execution within the WebKit content process. Because the only prerequisite is that the victim renders attacker-controlled web content, the bug is exploitable through a malicious page, a watering-hole site, or web content embedded in another app.

Apple released emergency updates in December 2025 and stated it is aware of a report that the issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26. The vulnerability was reported by Google's Threat Analysis Group, a strong indicator of commercial-spyware or state-aligned activity, and was disclosed alongside companion fixes for the same intrusion. CISA added CVE-2025-43529 to its Known Exploited Vulnerabilities catalog on December 15, 2025 with a remediation deadline of January 5, 2026.

Technical Details

A use-after-free (CWE-416) arises when a program continues to reference memory after it has been freed. In WebKit's complex object graph, certain operations on crafted web content can cause an object to be deallocated while a dangling reference to it remains live; subsequent use of that reference operates on memory that may have been reallocated and populated with attacker-controlled data. From there an attacker builds the read/write and control-flow primitives needed to execute code in the content process. Apple's advisory states the issue was addressed with improved memory management.

The CVSS data published via NVD (CISA-ADP) assigns a base score of 8.8 (High) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vector describes a network-reachable, low-complexity attack with no privileges, requiring user interaction (loading the page), and yielding high impact to confidentiality, integrity, and availability within the affected scope. Apple shipped fixes across its ecosystem: iOS and iPadOS 18.7.3 and 26.2, macOS Tahoe 26.2, Safari 26.2, and tvOS, visionOS, and watchOS 26.2.

Impact

• Arbitrary code execution in the WebKit content process from processing maliciously crafted web content.
• Affects Safari and all browsers on iOS/iPadOS, plus WebKit-rendered content in apps, broadening the exposure beyond a single browser.
• Reportedly exploited in an extremely sophisticated, targeted attack against specific individuals, consistent with commercial-spyware tradecraft.
• Spans the full Apple device ecosystem: iPhone, iPad, Mac, Apple TV, Apple Watch, and Apple Vision Pro.

Mitigation

1. Update iPhone and iPad to iOS/iPadOS 26.2, or to 18.7.3 on devices remaining on the iOS 18 line.
2. Update Mac to macOS Tahoe 26.2 and update Safari to 26.2.
3. Update Apple TV to tvOS 26.2, Apple Watch to watchOS 26.2, and Apple Vision Pro to visionOS 26.2.
4. Reboot each device after the update completes to ensure the patched WebKit framework is fully loaded.
5. High-risk individuals (journalists, activists, executives, government staff) should enable Lockdown Mode, which significantly hardens WebKit and blunts this class of attack; Federal Civilian Executive Branch agencies were required to remediate by January 5, 2026 under CISA BOD 22-01.

Detection

Apple does not expose low-level exploit telemetry to defenders, so detection on iOS and iPadOS relies primarily on version and configuration assurance through a mobile device management platform. Inventory the OS build of every managed Apple device and flag any iPhone or iPad below iOS/iPadOS 18.7.3 (or below 26.2 on the iOS 26 line), any Mac below macOS Tahoe 26.2, and any Apple TV, Watch, or Vision Pro below the 26.2 builds. MDM compliance policies can quarantine non-compliant devices from corporate resources until they update.

For active-threat hunting, the most valuable artifact is Apple's own threat notification: Apple directly notifies users it believes were targeted by mercenary spyware, and any such notification to a member of your organization should be treated as a confirmed high-severity incident warranting forensic preservation. Where available, ingest indicators of compromise published by Google's Threat Analysis Group or downstream researchers for the associated campaign, and alert on the corresponding domains and infrastructure in proxy and DNS logs. On macOS, EDR can watch for the Safari or WebKit content process (com.apple.WebKit.WebContent) spawning unexpected child processes or making anomalous network connections immediately after browsing activity.

Because exploitation requires rendering malicious web content, correlate web-proxy and email-security logs for one-off or freshly registered domains being delivered to high-value users just before any suspicious device behavior. For deeper investigation of a suspected iOS compromise, a sysdiagnose capture and analysis with tooling such as the Mobile Verification Toolkit can surface spyware artifacts, though physical access and user cooperation are usually required. Finally, verify that Lockdown Mode is enforced for your highest-risk population and confirm via MDM that it remains enabled, since it is one of the few proactive, attacker-agnostic controls against this exact category of WebKit zero-day.