CVE-2025-43529

What is Apple WebKit?

WebKit is Apple's open-source browser engine that powers Safari on macOS, iOS, and all other Apple platforms. Critically, Apple's App Store policy requires all third-party browsers on iOS (Chrome, Firefox, Edge, Brave, etc.) to use WebKit rather than their own rendering engines. This means a WebKit vulnerability affects every browser on every iPhone and iPad — not just Safari — making WebKit zero-days universally impactful across all iOS devices regardless of which browser the user prefers.

Overview

CVE-2025-43529 is a use-after-free (CWE-416) in WebKit that allows an attacker to achieve memory corruption and potentially arbitrary code execution by tricking a user into visiting a specially crafted web page. Apple disclosed the vulnerability on December 15, 2025, confirming it was "exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26." This language is characteristic of mercenary spyware (Pegasus, Predator, similar) targeting journalists, activists, government officials, and executives. It was Apple's ninth exploited WebKit/browser zero-day of 2025.

Affected Versions

Technical Details

The vulnerability is a use-after-free (CWE-416) in WebKit's JavaScript/HTML rendering engine. A use-after-free occurs when memory is freed (deallocated) but a pointer to it is retained and subsequently dereferenced. In WebKit's complex object graph (used to represent HTML documents, JavaScript objects, and rendering state), certain operations during web content processing can trigger premature object deallocation while references remain in other data structures.

An attacker crafts a malicious web page containing JavaScript and HTML that triggers the use-after-free sequence. The freed memory is then reallocated with attacker-controlled content (through heap grooming), and when the stale pointer is dereferenced, it operates on the attacker's data — enabling arbitrary code execution within the WebKit renderer process. A sandbox escape (separate vulnerability) is typically needed to escape the renderer and achieve full device compromise.

Key impact for iOS: Because all iOS browsers must use WebKit, a user visiting a malicious URL in any browser (Safari, Chrome, Firefox, etc.) is vulnerable. One-click exploitation requires the user to tap a link; zero-click variants (observed in prior mercenary spyware campaigns) require no user interaction at all.

Discovery

Google Threat Analysis Group (TAG) and Apple Security Engineering & Architecture (SEAR) jointly identified the vulnerability and exploitation.

Exploitation Context

Apple stated exploitation occurred in "an extremely sophisticated attack against specific targeted individuals" — the standard language Apple uses when mercenary spyware operators are involved. This is consistent with Pegasus (NSO Group), Predator (Intellexa), or similar commercial surveillance software used against journalists, human rights defenders, politicians, and corporate executives.

This was Apple's ninth exploited browser/WebKit zero-day of 2025, reflecting the sustained high rate of zero-day discovery in Apple's browser engine. Google TAG's involvement points to nation-state contractor or mercenary spyware attribution.

Remediation

1. Update all Apple devices immediately: iOS/iPadOS 26.2 or 18.7.3+, macOS Tahoe 26.2+, and corresponding updates for tvOS/watchOS/visionOS. The CISA deadline was January 5, 2026.
2. Update every iOS device — the iOS WebKit requirement means every iPhone and iPad is exposed, regardless of which browser is used.
3. Enable Lockdown Mode for high-risk individuals (journalists, government officials, executives, activists) — it significantly reduces the attack surface for WebKit-based exploits.
4. Do not click unsolicited links via messaging apps, email, or social media — WebKit zero-days are typically delivered via one-click or zero-click link exploitation.
5. Enable automatic iOS updates — the window between Apple's patch release and user adoption is when most targeted WebKit exploitation occurs.