CVE-2023-43000
Published: 05 November 2025
Summary
CVE-2023-43000 is a high-severity Use After Free (CWE-416) vulnerability in Apple Ipados. Its CVSS base score is 8.8 (High).
Operationally, ranked at the 8.0th percentile by exploit likelihood (below the median); CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
A use-after-free vulnerability tracked as CVE-2023-43000 and assigned CWE-416 was addressed through improved memory management in multiple Apple products. The affected components include macOS Ventura prior to 13.5, iOS and iPadOS prior to 16.6, Safari prior to 16.6, and older iOS/iPadOS versions prior to 15.8.7. The flaw resides in the handling of web content and can result in memory corruption when maliciously crafted input is processed.
An unauthenticated remote attacker can trigger the issue by supplying malicious web content that a victim processes in the affected browser or operating system component. Successful exploitation yields high impact across confidentiality, integrity, and availability without requiring elevated privileges, though user interaction is needed to render the content.
Apple security advisories at the referenced support pages document the fixes and list the updated versions that resolve the vulnerability. The same references include a detailed analysis of an iOS exploit kit observed in the wild that leverages similar memory corruption primitives. The current EPSS score remains low at 0.0003 with no indicated upward movement.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-47421
Vulnerability details
A use-after-free issue was addressed with improved memory management. This issue is fixed in macOS Ventura 13.5, iOS 16.6 and iPadOS 16.6, Safari 16.6, iOS 15.8.7 and iPadOS 15.8.7. Processing maliciously crafted web content may lead to memory corruption.
- CWE(s)
- KEV Date Added
- 05 March 2026
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires memory protection mechanisms that would block use-after-free exploitation and resulting memory corruption when processing web content.
Mandates timely application of patches that remediate the specific memory-management flaw, as Apple did in the listed macOS/iOS/Safari updates.
Provides malicious-code detection and blocking capabilities that can stop or alert on crafted web content used to trigger the vulnerability.