CVE-2025-43368 – A use-after-free vulnerability in Apple Safari,... (How to Fix)

Q: What is the severity of CVE-2025-43368?

CVE-2025-43368 has a CVSS score of 4.3 (MEDIUM). A use-after-free vulnerability in Apple Safari, iOS, and iPadOS allows processing malicious web content to cause unexpected crashes. This affects users running vulnerable versions of these Apple products. The issue has been addressed in the latest updates.

📋 TL;DR

A use-after-free vulnerability in Apple Safari, iOS, and iPadOS allows processing malicious web content to cause unexpected crashes. This affects users running vulnerable versions of these Apple products. The issue has been addressed in the latest updates.

💻 Affected Systems

Products:

Safari
iOS
iPadOS

Versions: Versions prior to Safari 26, iOS 26, and iPadOS 26

Operating Systems: iOS, iPadOS, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations of affected versions are vulnerable when processing web content.

📦 What is this software?

Ipados by Apple

View all CVEs affecting Ipados →

Iphone Os by Apple

View all CVEs affecting Iphone Os →

Macos by Apple

macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...

Learn more about Macos →

Safari by Apple

View all CVEs affecting Safari →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Potential arbitrary code execution leading to full device compromise if combined with other vulnerabilities, though this specific CVE only documents crashes.

🟠

Likely Case

Denial of service through Safari crashes when visiting malicious websites, disrupting user browsing sessions.

🟢

If Mitigated

Minimal impact with proper patching and security controls in place.

🌐 Internet-Facing: HIGH - Web browsers process untrusted internet content by design, making exploitation via malicious websites straightforward.

🏢 Internal Only: LOW - Requires user interaction with malicious content, which is less likely in controlled internal environments.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires user interaction (visiting malicious website). No public exploit code is documented in the provided references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Safari 26, iOS 26, iPadOS 26

Vendor Advisory: https://support.apple.com/en-us/125108

Restart Required: No

Instructions:

1. Open Settings app. 2. Navigate to General > Software Update. 3. Install available updates for iOS/iPadOS. 4. For Safari on macOS, update through System Preferences > Software Update.

🔧 Temporary Workarounds

Disable JavaScript

all

Temporarily disable JavaScript in Safari settings to prevent malicious web content execution.

🧯 If You Can't Patch

Implement web filtering to block known malicious websites.
Use alternative browsers until patches can be applied.

🔍 How to Verify

Check if Vulnerable:

Check Safari version in Safari > About Safari. Check iOS/iPadOS version in Settings > General > About.

Check Version:

For macOS: sw_vers -productVersion. For iOS/iPadOS: Settings > General > About > Version.

Verify Fix Applied:

Confirm version is Safari 26 or later, iOS 26 or later, or iPadOS 26 or later.

📡 Detection & Monitoring

Log Indicators:

Safari crash logs with memory access violations
Unexpected browser termination events

Network Indicators:

Connections to suspicious domains followed by browser crashes

SIEM Query:

source="*safari*" AND (event="crash" OR event="terminated")

📊 Metadata

CVE ID: CVE-2025-43368

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

CWE: CWE-416

EPSS Score: 0.04% exploit probability (9.8th percentile)

Published: September 15, 2025

Last Updated: November 4, 2025

🔗 References

https://support.apple.com/en-us/125108 Release Notes,Vendor Advisory
https://support.apple.com/en-us/125113 Release Notes,Vendor Advisory
http://seclists.org/fulldisclosure/2025/Sep/49
http://seclists.org/fulldisclosure/2025/Sep/53
http://seclists.org/fulldisclosure/2025/Sep/59
http://www.openwall.com/lists/oss-security/2025/09/22/3

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-43368, you might also want to check these: