Cyber Resilience

CVE-2023-43000

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 05 November 2025

Published
05 November 2025
Modified
12 March 2026
KEV Added
05 March 2026
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0003 8.0th percentile
Risk Priority 38 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-43000 is a high-severity Use After Free (CWE-416) vulnerability in Apple Ipados. Its CVSS base score is 8.8 (High).

Operationally, ranked at the 8.0th percentile by exploit likelihood (below the median); CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

A use-after-free vulnerability tracked as CVE-2023-43000 and assigned CWE-416 was addressed through improved memory management in multiple Apple products. The affected components include macOS Ventura prior to 13.5, iOS and iPadOS prior to 16.6, Safari prior to 16.6, and older iOS/iPadOS versions prior to 15.8.7. The flaw resides in the handling of web content and can result in memory corruption when maliciously crafted input is processed.

An unauthenticated remote attacker can trigger the issue by supplying malicious web content that a victim processes in the affected browser or operating system component. Successful exploitation yields high impact across confidentiality, integrity, and availability without requiring elevated privileges, though user interaction is needed to render the content.

Apple security advisories at the referenced support pages document the fixes and list the updated versions that resolve the vulnerability. The same references include a detailed analysis of an iOS exploit kit observed in the wild that leverages similar memory corruption primitives. The current EPSS score remains low at 0.0003 with no indicated upward movement.

EU & UK References

Vulnerability details

A use-after-free issue was addressed with improved memory management. This issue is fixed in macOS Ventura 13.5, iOS 16.6 and iPadOS 16.6, Safari 16.6, iOS 15.8.7 and iPadOS 15.8.7. Processing maliciously crafted web content may lead to memory corruption.

CWE(s)
KEV Date Added
05 March 2026

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apple
safari
≤ 16.6
apple
ipados
≤ 15.8.7 · 16.0 — 16.6
apple
iphone os
≤ 15.8.7 · 16.0 — 16.6
apple
macos
≤ 13.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires memory protection mechanisms that would block use-after-free exploitation and resulting memory corruption when processing web content.

prevent

Mandates timely application of patches that remediate the specific memory-management flaw, as Apple did in the listed macOS/iOS/Safari updates.

preventdetect

Provides malicious-code detection and blocking capabilities that can stop or alert on crafted web content used to trigger the vulnerability.

References