CVE-2025-43421: 
Apple Safari vulnerability analysis and mitigation

CVE-2025-43421 is a security vulnerability discovered in Apple's WebKit engine that affects multiple Apple operating systems and browsers. The vulnerability was disclosed on November 3, 2025, and affects iOS 26.1, iPadOS 26.1, Safari 26.1, and visionOS 26.1. The issue involves array allocation sinking in WebKit, which could potentially be exploited through maliciously crafted web content (Apple iOS, Apple Safari).

The vulnerability is identified in WebKit's array allocation sinking mechanism and is tracked under WebKit Bugzilla ID 300718. It has been assigned a CVSS 3.1 Base Score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L. The vulnerability is associated with two Common Weakness Enumeration (CWE) categories: CWE-125 (Out-of-bounds Read) and CWE-787 (Out-of-bounds Write) (NVD).

When exploited, this vulnerability can lead to an unexpected process crash when processing maliciously crafted web content. The impact is primarily focused on availability, with no direct impact on confidentiality or integrity of the system (Apple iOS, NVD).

Apple has addressed this vulnerability by disabling array allocation sinking in the affected systems. The fix is available in iOS 26.1, iPadOS 26.1, Safari 26.1, and visionOS 26.1. Users are advised to update their devices to these versions to mitigate the vulnerability (Apple iOS, Apple Safari).

The vulnerability was discovered and reported by security researcher Nan Wang (@eternalsakura13), demonstrating ongoing security research efforts in the WebKit community (Apple iOS).