Cyber Resilience

CVE-2023-43010

HighUpdated

Published: 12 March 2026

Published
12 March 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0072 49.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2023-43010 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Apple Ipados. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 49.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2023-43010 is a memory corruption vulnerability stemming from inadequate memory handling, classified under CWE-787 (Out-of-bounds Write). It affects Apple's WebKit engine, as used in Safari and integrated into iOS, iPadOS, and macOS Sonoma. The flaw is triggered by processing maliciously crafted web content and was assigned a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

Remote attackers can exploit this vulnerability by enticing users to interact with specially crafted web content, such as visiting a malicious website, requiring no privileges but relying on user interaction. Successful exploitation could result in high-impact confidentiality, integrity, and availability violations, potentially enabling arbitrary code execution, data theft, or system compromise on affected devices.

Apple addressed the issue through improved memory handling in multiple releases: iOS 17.2 and iPadOS 17.2, macOS Sonoma 14.2, Safari 17.2, iOS 16.7.15 and iPadOS 16.7.15, as well as iOS 15.8.7 and iPadOS 15.8.7. Security practitioners should prioritize updating affected systems to these versions or later, with further details available in Apple's security advisories at https://support.apple.com/en-us/120300, https://support.apple.com/en-us/120877, https://support.apple.com/en-us/120879, https://support.apple.com/en-us/126632, and https://support.apple.com/en-us/126646.

EU & UK References

Vulnerability details

The issue was addressed with improved memory handling. This issue is fixed in iOS 17.2 and iPadOS 17.2, macOS Sonoma 14.2, Safari 17.2, iOS 16.7.15 and iPadOS 16.7.15, iOS 15.8.7 and iPadOS 15.8.7. Processing maliciously crafted web content may lead…

more

to memory corruption.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Memory corruption in WebKit enables remote code execution via malicious web content, directly mapping to drive-by compromise and client exploitation techniques.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-54543Same product: Apple Ipados
CVE-2025-43300Same product: Apple Ipados
CVE-2025-43209Same product: Apple Ipados
CVE-2025-43202Same product: Apple Ipados
CVE-2026-20616Same product: Apple Ipados
CVE-2026-43656Same product: Apple Ipados
CVE-2025-24167Same product: Apple Ipados
CVE-2025-24201Same product: Apple Ipados
CVE-2025-24150Same product: Apple Ipados
CVE-2024-54523Same product: Apple Ipados

Affected Assets

apple
safari
≤ 17.2
apple
ipados
≤ 15.8.7 · 16.0 — 16.7.15 · 17.0 — 17.2
apple
iphone os
≤ 15.8.7 · 16.0 — 16.7.15 · 17.0 — 17.2
apple
macos
≤ 14.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Mandates timely identification, reporting, and correction of the WebKit memory corruption flaw via vendor patches like iOS 17.2 and Safari 17.2.

prevent

Implements memory-resident code protections such as address space randomization and stack guards to directly counter out-of-bounds write vulnerabilities in WebKit.

preventdetect

Deploys malicious code protection mechanisms to scan, detect, and block crafted web content exploiting the WebKit memory handling deficiency.

References