Full Report
Apple on Friday released security updates for iOS, iPadOS, macOS, tvOS, watchOS, visionOS, and its Safari web browser to address two security flaws that it said have been exploited in the wild, one of which is the same flaw that was patched by Google in Chrome earlier this week. The vulnerabilities are listed below - CVE-2025-43529 (CVSS score: N/A) - A use-after-free vulnerability in WebKit
Analysis Summary
# Vulnerability: WebKit Use-After-Free Exploited in the Wild
## CVE Details
- CVE ID: CVE-2025-43529
- CVSS Score: N/A (Severity unknown/not provided)
- CWE: Weakness related to Memory Management (Implied by Use-After-Free)
## Affected Systems
- Products: iOS, iPadOS, macOS, tvOS, watchOS, visionOS, and Safari web browser.
- Versions: Versions of iOS prior to iOS 26 (specific patched versions listed under Remediation).
- Configurations: Processing maliciously crafted web content.
## Vulnerability Description
CVE-2025-43529 is described as a **Use-After-Free (UAF)** vulnerability within the **WebKit** rendering engine. If successfully exploited, this flaw may lead to **arbitrary code execution** when the affected system processes specifically designed web content. This vulnerability affects WebKit, impacting all third-party web browsers on iOS and iPadOS that use it as their engine.
## Exploitation
- Status: **Exploited in the wild** (Apple is aware of its use in "an extremely sophisticated attack against specific targeted individuals").
- Complexity: Inferred to be **Low/Medium** given its inclusion in highly targeted attacks, though complexity score is not provided.
- Attack Vector: Implied to be **Network/Remote** via processing web content (i.e., browsing a malicious website).
## Impact
*Note: Impact levels are inferred based on the vulnerability type (UAF leading to arbitrary code execution).*
- Confidentiality: **High** (Potential for full system compromise)
- Integrity: **High** (Potential for modification of system files/data)
- Availability: **High** (Potential for Denial of Service or system loss of control)
## Remediation
### Patches
Apple released security updates to address this flaw:
- **iOS 26.2 and iPadOS 26.2**
- **iOS 18.7.3 and iPadOS 18.7.3**
- **macOS Tahoe 26.2**
- **tvOS 26.2**
- **watchOS 26.2**
- **visionOS 26.2**
- **Safari 26.2** (for Macs running macOS Sonoma and macOS Sequoia)
### Workarounds
No specific workarounds were detailed in the provided text, immediate patching is the advised strategy.
## Detection
- Detection methods are not explicitly stated, but vigilance for indicators related to the exploitation of CVE-2025-14174 (which was exploited alongside this one) may be relevant.
- General detection focus should be on monitoring for anomalous process behavior stemming from WebKit or browser rendering components.
## References
- Apple Security Advisory (General Reference for all updates on this date): `https://support.apple.com/en-us/100100`
- iOS 26.2/iPadOS 26.2 Advisory: `https://support.apple.com/en-us/125884`
- iOS 18.7.3/iPadOS 18.7.3 Advisory: `https://support.apple.com/en-us/125885`
- macOS Tahoe 26.2 Advisory: `https://support.apple.com/en-us/125886`
- tvOS 26.2 Advisory: `https://support.apple.com/en-us/125889`
- watchOS 26.2 Advisory: `https://support.apple.com/en-us/125890`
- visionOS 26.2 Advisory: `https://support.apple.com/en-us/125891`
- Safari 26.2 Advisory: `https://support.apple.com/en-us/125892`