🟢 CVE-2023-43000

CVE-2023-43000 is a use-after-free vulnerability in WebKit that affects client-side applications (Safari, iOS/iPadOS browsers, macOS Safari). Despite evidence of active exploitation, this requires user interaction to visit malicious websites and does not qualify as direct internet exploitation of public-facing applications.

← Back to Overview
LOW_RISK
Risk Level
8.8
CVSS Score
NETWORK
Attack Vector
Initial Access
ATT&CK Tactic
T1189 — Drive-by Compromise
ATT&CK Technique
VERY_LOW
Deployment Risk
No
Ransomware

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: USER_INTERACTION

CVE Published: 2025-11-05

Added to CISA KEV: 2026-03-05 120 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

🔍 Web Intelligence (Kagi · 2026-03-05)

CVE-2023-43000 is a use-after-free vulnerability in the WebKit rendering engine, which affects Apple's macOS, iOS, iPadOS, and Safari browsers [1] [8] [2].

Here's a breakdown of what is known about its exploitation:

  • Internet-facing applications or services: The vulnerability is present in WebKit, which is used by Safari and other applications on Apple devices to render web content. This means any application that uses WebKit for web rendering could be affected [1].
  • Evidence of active exploitation in the wild: There is evidence that CVE-2023-43000 has been exploited in the wild [3] [16]. It was included in the "Coruna" iOS exploit kit, which was observed targeting iPhones [3] [10] [4] [9].
  • Attack vectors and exploitation methods: The vulnerability can be triggered by processing specially crafted web content [1]. Attackers can exploit this by luring users to a malicious website or injecting malicious content into a trusted site [1] [12]. Successful exploitation could lead to arbitrary code execution within the context of the affected application [1]. The exploitability is described as "easy," and the attack can be launched remotely without requiring authentication, but it does require user interaction from the victim [2].
  • Use in targeted attacks: CVE-2023-43000 has been used in highly targeted operations [4]. It was observed as part of the Coruna exploit kit, which was deployed in watering hole attacks targeting Ukrainian users by a suspected Russian espionage group [4].
  • CISA Known Exploited Vulnerabilities status: As of the latest available information, CVE-2023-43000 is not listed on the CISA Known Exploited Vulnerabilities (KEV) Catalog [5] [11] [13]. However, CISA regularly updates this catalog based on evidence of active exploitation [6] [14] [15] [17].
  • Technical details about internet exploitability: The vulnerability is a use-after-free flaw [1] [7] [8] [2]. This occurs when memory is freed but still referenced by the application, leading to memory corruption [1]. The specific technical details of the exploit are not widely disclosed, and an exploit is not publicly available [2]. Apple addressed this vulnerability with improved memory management [7]. It was patched by Apple in iOS 16.6 and iPadOS 16.6, released in July 2023 [3].

Sources

  1. WebKit Use After Free in Apple Platforms (CVE-2023-43000): Brief...

    CVE-2023-43000 is a use after free vulnerability (CWE-416) in the WebKit rendering engine. The flaw occurs when memory is freed but still referenced by the application, which can lead to memory corruption. In this specific case, the vulnerability could be triggered by processing specially crafted we…

  2. Coruna iOS Exploit Kit Uses 23 Exploits Across Five Chains Targeting ...

    The exploit kit featured five full iOS exploit chains and a total of 23 exploits, Google Threat Intelligence Group (GTIG) said. It's not effective against the latest version of iOS.It's worth noting that CVE-2023-43000 was addressed by Apple in iOS 16.6 and iPadOS 16.6, released in July 2023. Howeve…

  3. CVE-2023-43000 Apple macOS/iOS and iPadOS/Safari Web Content...

    This vulnerability is traded as CVE-2023-43000 since 09/14/2023. The exploitability is told to be easy. It is possible to launch the attack remotely. The exploitation doesn't require any form of authentication. Successful exploitation requires user interaction by the victim. The technical details ar…

  4. Coruna: The Mysterious Journey of a Powerful iOS Exploit Kit

    Over the course of 2025, GTIG tracked its use in highly targeted operations initially conducted by a customer of a surveillance vendor, then observed its deployment in watering hole attacks targeting Ukrainian users by UNC6353, a suspected Russian espionage group.We collected WebKit RCEs, which incl…

  5. Known Exploited Vulnerabilities Catalog - CISA

    For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild. Organizations should use the KEV catal…

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

📄 Download JSON Data | 📡 RSS Feed