CVE-2025-43432: 
Apple Safari vulnerability analysis and mitigation

A use-after-free vulnerability (CVE-2025-43432) was discovered in WebKit, affecting multiple Apple operating systems including Safari 26.1, visionOS 26.1, watchOS 26.1, iOS 26.1, iPadOS 26.1, and tvOS 26.1. The vulnerability was discovered by Hossein Lotfi of Trend Micro Zero Day Initiative and was disclosed on November 3, 2025 (Apple Support).

The vulnerability is classified as a use-after-free issue in WebKit that was addressed with improved memory management. The issue is tracked in WebKit Bugzilla under ID 299313. According to CISA's assessment, the vulnerability has a CVSS v3.1 Base Score of 4.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L, indicating it is network accessible, requires low attack complexity, and needs user interaction (NVD).

When exploited, processing maliciously crafted web content may lead to an unexpected process crash. The vulnerability affects multiple Apple platforms and could potentially impact users across Safari browser and various Apple devices (Apple Support, Apple Support).

Apple has addressed this vulnerability by implementing improved memory management in the following updates: Safari 26.1, visionOS 26.1, watchOS 26.1, iOS 26.1 and iPadOS 26.1, and tvOS 26.1. Users are advised to update their devices to these versions to mitigate the risk (Apple Support).