CVE-2025-43529

Name of the Vulnerable Software and Affected Versions WebKitGTK versions 2.50.4-0ubuntu0.25.04.1 Apple iOS versions prior to 18.7.3 Apple iPadOS versions prior to 18.7.3 Apple macOS versions prior to the security updates released to address CVE-2025-43529 Apple Safari versions prior to 26.2 Apple watchOS versions prior to 26.2 Apple visionOS versions prior to 26.2 Apple tvOS versions prior to 26.2

Description A use-after-free vulnerability exists in WebKit, potentially allowing a remote attacker to execute arbitrary code. This vulnerability has been actively exploited in the wild and is considered a critical risk. The flaw stems from improper memory management within WebKit’s HTML parsing logic. Specifically, a use-after-free condition occurs when software attempts to access memory that has already been freed, creating an opportunity for attackers to manipulate program behavior. Exploitation involves maliciously crafted web content. The vulnerability affects multiple Apple operating systems, including iOS, iPadOS, macOS, watchOS, visionOS, and tvOS, as well as Safari. The vulnerability has been observed in attacks targeting specific individuals. The flaw is related to the JavaScriptCore (JSC) engine and a missing Phi-merged youngster during Escape Analysis, allowing garbage collection of an object with a live reference. Exploitation can involve converting the use-after-free to a type confusion, structure mismatch, or arbitrary write primitive.

Recommendations Update WebKitGTK to version 2.50.4-0ubuntu0.25.04.1. Update Apple iOS to version 18.7.3 or later. Update Apple iPadOS to version 18.7.3 or later. Update Apple macOS to the latest security updates released to address CVE-2025-43529. Update Apple Safari to version 26.2 or later. Update Apple watchOS to version 26.2 or later. Update Apple visionOS to version 26.2 or later. Update Apple tvOS to version 26.2 or later.