What CVE-2025-43529 is
CVE-2025-43529 is a use-after-free bug (memory used after being freed, CWE-416) in WebKit, the browser engine behind Safari and every web browser on iOS and iPadOS. When WebKit processes specially crafted web content, a chunk of memory that was already freed gets reused. An attacker can take that slip, corrupt memory, and eventually reach arbitrary code execution on the victim’s device.
The National Vulnerability Database (NVD) rates it CVSS 3.1 8.8 (High), with vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. In plain terms, the attack is remote, low in complexity, needs no prior privileges, and only requires the victim to interact, say by opening a crafted web page. Confidentiality, integrity and availability all take a high hit.
Who is affected
The flaw lives in WebKit, so it reaches almost the entire Apple lineup. According to the advisories, the vulnerable versions are those prior to:
- Safari 26.2
- iOS and iPadOS 18.7.3 and the 26.0–26.2 series
- macOS 26.2 (including macOS Tahoe 26.2)
- tvOS, visionOS and watchOS before 26.2
Since WebKit is mandatory for any browser on iOS/iPadOS, switching to an alternative browser won’t save you from the problem on those platforms.
Severity and exploitation
What makes this one urgent isn’t only the CVSS score. There is confirmation of active exploitation. Apple acknowledged that the issue “may have been exploited in an extremely sophisticated attack against specific targeted individuals” on versions of iOS before iOS 26. When you see highly elaborate, targeted attacks like that, the trail usually leads to commercial spyware and surveillance operations aimed at journalists, activists or high-profile figures.
Given its weight, CISA added CVE-2025-43529 to its Known Exploited Vulnerabilities (KEV) catalog and set a remediation deadline of January 5, 2026 for U.S. federal agencies. That deadline binds only those agencies, but the message holds for everyone: the flaw is being used in the wild and needs fixing without delay.
Mitigation and patch
The fix is straightforward: update to the corrected versions. Apple shipped the patches in December 2025 through version 26.2 of its operating systems and the extra iOS/iPadOS 18.7.3 update for devices not yet moved to iOS 26.
Recommended steps:
- On iPhone/iPad, go to Settings › General › Software Update and install the latest available release.
- On Mac, open System Settings › General › Software Update.
- Make sure Safari and the rest of the apps that use WebKit are current.
- In managed environments, give deployment via MDM priority and verify compliance.
No reliable mitigation replaces the patch. Since merely visiting malicious web content is enough to get hit, updating is the only solid protection. If you run macOS machines alongside other systems, it’s also worth reviewing operating-system hardening practices in our guide at /en/articles/selinux-y-apparmor.
More information about the OS version on the macOS page.
Source
- NVD — CVE-2025-43529: https://nvd.nist.gov/vuln/detail/CVE-2025-43529