CVE-2025-43443

Root

Cause

CVE-2025-43443 is a denial-of-service vulnerability affecting multiple Apple operating systems. Processing specially crafted web content can trigger an unexpected process crash. The root cause was insufficient validation, which Apple addressed through improved internal checks [1][2][3][4].

Attack

Vector

The attack is delivered through web content, so any application that renders untrusted HTML, JavaScript, or other web resources—most notably Safari and WKWebView-based apps—can be targeted. No special privileges are required; the attacker simply needs to serve or induce the victim to open the malicious content. The vulnerability is triggered during content processing, not through user interaction beyond normal browsing.

Impact

Successful exploitation results in a crash of the application or system process handling process, causing a temporary denial of service. The vulnerability is rated Medium (CVSS 4.3), reflecting the limited impact to availability without any compromise of confidentiality or integrity.

Mitigation

Apple released updates on November 3–5, 2025, for Safari 26.1, iOS/iPadOS 18.7.2 and 26.1, macOS Tahoe 26.1, tvOS 26.1, visionOS 26.1, and watchOS 26.1 [1][2][3][4]. Users should apply these updates immediately. No workarounds other than updating have been published.