CVE-2023-43000

What is Apple WebKit?

WebKit is Apple's open-source browser rendering engine that powers Safari on macOS and all web browsers on iOS and iPadOS — Apple's platform policy requires every iOS/iPadOS browser app to use WebKit as its rendering engine, regardless of brand. WebKit processes HTML, CSS, JavaScript, and media content, and its JavaScript engine (JavaScriptCore) and DOM implementation handle complex, potentially attacker-controlled web content. Use-after-free (UAF) vulnerabilities in WebKit are among the highest-severity browser bugs: they corrupt heap memory in a way that can give an attacker control over freed memory regions, enabling arbitrary code execution inside the WebKit renderer process on the victim's device. Because all iOS browsers share WebKit, a WebKit vulnerability affects every browser on every iPhone and iPad running a vulnerable version.

Overview

CVE-2023-43000 is a use-after-free vulnerability (CWE-416) in Apple WebKit that allows an attacker to achieve memory corruption and potentially arbitrary code execution by serving maliciously crafted web content to a victim's browser. Apple patched it in July 2023 as part of iOS 16.6, iPadOS 16.6, macOS Ventura 13.5, and Safari 16.6. Despite the July 2023 patch, the CVE was not formally registered in NVD until November 5, 2025 — nearly 2.5 years after the fix — and CISA added it to the KEV catalog in March 2026 after its inclusion in the Coruna exploit kit targeting legacy iPhones was confirmed.

The ~2.5 year delay between patch and KEV addition is explained by the delayed CVE registration: the vulnerability was fixed in 2023 but not formally tracked in NVD until late 2025, after which CISA's active exploitation confirmation (from the Coruna kit activity) prompted the March 2026 KEV addition.

Affected Versions

Note: Apple released backports to legacy device lines (iPhone 6s, iPhone 7, iPhone SE 1st generation, iPad Air 2, iPad mini 4th generation, iPod touch 7th generation) in March 2026 after those older devices became active targets in the Coruna exploit kit campaigns.

Technical Details

Use-after-free (CWE-416) vulnerabilities in WebKit arise when the JavaScript engine or DOM implementation deallocates a heap object but retains a stale pointer to the freed memory region. If that stale pointer is subsequently dereferenced — for example, during a JavaScript callback, event handler, or garbage collection cycle — the browser accesses memory that may have been reclaimed and overwritten by an attacker-controlled allocation.

The exploitation pattern for WebKit UAFs:

1. Craft triggering web content — construct JavaScript and HTML that causes WebKit to free a target object while a stale reference is retained
2. Heap grooming — allocate attacker-controlled objects of the same size as the freed region to occupy the freed memory, placing controlled data at the stale pointer's location
3. Trigger dereference — cause WebKit to dereference the stale pointer, now pointing to the attacker-controlled allocation
4. Achieve code execution — the controlled data at the stale pointer location manipulates WebKit's internal state (function pointers, vtable entries) to redirect execution to attacker-supplied code

CVE-2023-43000 was exploited in conjunction with additional vulnerabilities in multi-stage chains. The Coruna exploit kit chained it with CVE-2023-43010 (another WebKit vulnerability) and CVE-2023-41974, with CVE-2024-23222 used in some chain configurations, to achieve full device compromise beyond the WebKit renderer process.

Discovery

Apple credited no external researcher in the iOS 16.6 advisory for CVE-2023-43000 — it was internally discovered or reported via Apple's private vulnerability program. The approximately 2-year gap between the July 2023 patch and the November 2025 NVD registration reflects a CVE assignment that was completed long after the fix, rather than a delayed patch.

Active exploitation was confirmed through analysis of the Coruna exploit kit, which was identified in 2025–2026 by mobile security researchers examining targeted attacks on legacy iOS devices.

Exploitation Context

CVE-2023-43000 is a component of the Coruna commercial exploit kit — a sophisticated framework containing 23 WebKit and kernel exploits organized across 5 distinct exploitation chains, covering iOS versions 13.0 through 17.2.1. The kit dynamically selects the appropriate chain based on the victim device's exact iOS version fingerprint, maximizing the probability of successful exploitation across the diverse iOS version landscape in the wild.

The associated malware framework, tracked by iVerify researchers as CryptoWaters, exhibits structural characteristics resembling previously documented frameworks associated with nation-state-level surveillance capabilities. At the time of confirmed KEV-level exploitation, the kit was linked to Chinese-affiliated threat actors specifically targeting older iPhone models — particularly legacy devices (iPhone 6s, 7, SE, and similar) that had not received the July 2023 iOS 16.6 patch because they run older iOS branches no longer receiving the current iOS update stream.

The threat model:

• Legacy iOS devices that can no longer upgrade to iOS 17+ are permanently vulnerable to CVE-2023-43000 unless Apple provides a backport
• Users of these devices who still use Safari for web browsing remain exploitable via drive-by attacks
• Apple's March 2026 backport (iOS 15.8.7, iOS 16.7.15) directly addressed this targeting pattern — the backports were a response to confirmed active exploitation of legacy devices in the Coruna campaign

Remediation

1. Update to iOS/iPadOS 16.6 or later — applies the July 2023 WebKit UAF fix; modern devices should update to the current iOS version.
2. Legacy devices: apply iOS 15.8.7 or iOS 16.7.15 — Apple released these backports in March 2026 specifically for older devices no longer receiving iOS 17+ updates; apply via Settings → General → Software Update.
3. Enable automatic updates — iOS automatic updates ensure WebKit zero-day patches are applied with minimal delay; enable via Settings → General → Software Update → Automatic Updates.
4. Update Safari on macOS — apply macOS Ventura 13.5 or the corresponding Safari 16.6 update for macOS Big Sur and Monterey.
5. Enable Lockdown Mode for at-risk individuals — Lockdown Mode restricts WebKit functionality used in commercial exploit chains (JavaScript JIT compilation, complex web APIs), significantly raising the exploitation cost for chains like Coruna.
6. Retire legacy devices that cannot be patched — devices that have reached the end of Apple's backport support window and cannot receive further WebKit security updates present an unmitigable risk; replace them with devices receiving current iOS updates.