CVE-2023-43000: Apple WebKit Use-After-Free Affecting iOS, iPadOS, macOS, and Safari

What is CVE-2023-43000?

CVE-2023-43000 is a WebKit use-after-free vulnerability that can be triggered by maliciously crafted web content. Apple describes the issue as a use-after-free addressed with improved memory management, where processing crafted content “may lead to memory corruption.” The fix is documented across Apple security notes for iOS/iPadOS 16.6, macOS Ventura 13.5, and Safari 16.6. Apple’s security pages for the July 24, 2023 releases were later updated to include this CVE (with an “entry added” date shown in those notes), and the NVD record reflects subsequent publication/updates as well.

• Vulnerable component: WebKit (browser engine used by Safari and many in-app web views)

• Bug class: Use-after-free (CWE-416)

• Trigger: Processing maliciously crafted web content

What is Affected By CVE-2023-43000?

CVE-2023-43000 affects Apple platforms running WebKit builds prior to Apple’s patched releases. Per the NVD summary sourced from Apple, the issue is fixed in macOS Ventura 13.5, iOS 16.6, iPadOS 16.6, and Safari 16.6, so earlier versions in those lines should be treated as impacted until updated. Apple’s security notes place the fix in the July 24, 2023 releases for iOS/iPadOS 16.6 and macOS Ventura 13.5, and in Safari 16.6 (Safari update noted for macOS Big Sur/Monterey). Because the vulnerable code is in WebKit, products that embed WebKit (including some third-party ports) may also track this CVE and should be checked against their own advisories.

• Apple products / fixed versions (update to these or later):

  • iOS: 16.6

  • iPadOS: 16.6

  • macOS Ventura: 13.5

  • Safari: 16.6 (Safari security note lists availability for macOS Big Sur/Monterey)

• Non-Apple WebKit ports (check your platform/vendor):

  • WebKitGTK / WPE WebKit before 2.42.0 (per WebKitGTK advisory)

Mitigation and Remediation For CVE-2023-43000

The primary remediation is to install Apple’s updates that include the WebKit fix. Apple and the NVD record indicate the issue is resolved by updating to iOS/iPadOS 16.6, macOS Ventura 13.5, and/or Safari 16.6, depending on your device and platform. Where immediate updates are operationally difficult, compensating controls should focus on reducing exposure to untrusted web content paths that invoke WebKit (browser use, in-app web views, link previews). Defense-in-depth measures won’t “patch” the bug, but they can reduce the likelihood of a successful drive-by scenario. If you operate WebKit-based stacks outside Apple (e.g., WebKitGTK), follow that project/vendor’s patched version guidance as well.

• Patch/upgrade actions (recommended):

  • Update iPhone/iPad to iOS/iPadOS 16.6 or later

  • Update macOS Ventura to 13.5 or later

  • Install Safari 16.6 or later where applicable

  • For Linux/embedded uses: update WebKitGTK/WPE WebKit to 2.42.0+ (or your distro’s patched build)

• Compensating controls (until fully patched):

  • Enforce rapid OS/browser update compliance via MDM and maintenance windows.

  • Reduce exposure to untrusted links/content (email/web filtering, user training, high-risk browsing restrictions).

  • Consider additional hardening modes for high-risk users/devices (where your environment supports it).

Impact of Successful Exploitation of CVE-2023-43000

Successful exploitation can result in WebKit memory corruption that may be used to crash processes and potentially achieve code execution in a browser context. Apple’s stated impact is memory corruption when processing malicious web content, which can manifest as crashes or unpredictable behavior in the WebKit rendering process. In practical threat scenarios, the most common delivery path is a malicious website or crafted content rendered inside an app using WebKit. A strong signal of real-world relevance is that Google Cloud reported collecting WebKit RCEs used by an iOS exploit kit that included CVE-2023-43000.

• Likely outcomes defenders should plan for:

  • Web content–triggered memory corruption in WebKit

  • Browser/app instability or crashes during content rendering

  • Potential code execution within a WebKit process (especially when chained with other bugs), as described in third-party exploitation reporting

  • Use as an initial access step in a broader exploit chain (e.g., “drive-by” style campaigns)

Proof of Concept for CVE-2023-43000

There is evidence of real-world weaponization, but Apple’s advisories do not include a public PoC or detailed reproduction steps. Apple’s notes focus on the impact and that the bug was fixed via improved memory management in WebKit, without publishing exploit details. Google Cloud’s threat research, however, explicitly lists CVE-2023-43000 among WebKit RCEs they collected in an iOS exploit-kit ecosystem, indicating that functional exploitation existed outside of public vendor write-ups. For defensive testing, a safer approach is to validate patch levels and use generic WebKit “stability smoke tests” (which are not CVE-specific exploits) to help spot obviously vulnerable/unstable builds during lab evaluation.

• Defensive research references (non-vendor):

  • Google Cloud threat research on the exploit kit that included CVE-2023-43000

  • WebKitGTK advisory mapping CVE-2023-43000 to affected/patched WebKitGTK/WPE versions