HighCISA KEVExploited in the wildPublic exploit

WebKit Use-After-Free in Apple Safari, iOS, iPadOS, and macOS

IdentifiersCVE-2023-43000CWE-416· Use After FreeAlso known asterrorbird

CVE-2023-43000 is a WebKit use-after-free vulnerability in Apple platforms. Apple describes it as a use-after-free issue addressed with improved memory management. When WebKit processes maliciously crafted web content, the stale object access can lead to memory corruption. The issue was fixed in macOS Ventura 13.5, iOS 16.6, iPadOS 16.6, Safari 16.6, and later backported to iOS 15.8.7 and iPadOS 15.8.7 for older devices. Reporting on the Coruna exploit kit identifies this flaw as the WebContent read/write stage codenamed "terrorbird" for iOS 16.2 through 16.5.1, used to achieve initial code execution in the browser renderer process.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation may cause memory corruption in the WebKit/WebContent context. In practical terms, this can crash Safari or the affected application rendering web content, disclose sensitive information, or provide initial code execution in the browser renderer process as part of a larger exploit chain. Multiple reports state the vulnerability has been exploited in the wild, including as part of the Coruna exploit kit, where it was used as an initial browser compromise stage before additional sandbox escape and privilege-escalation steps.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure to untrusted web content and known malicious domains, and restrict browsing from vulnerable devices. Apple states Lockdown Mode blocks Coruna-related attacks even on older systems, so enabling Lockdown Mode is a meaningful mitigation for high-risk users. Safari Safe Browsing and standard web filtering controls may help block known delivery infrastructure, but these measures are compensating controls only and do not remove the underlying vulnerability.

Remediation

Patch, then assume compromise.

Apply Apple security updates that include the fix for CVE-2023-43000. The issue is fixed in macOS Ventura 13.5, iOS 16.6, iPadOS 16.6, and Safari 16.6. Apple also backported the fix to iOS 15.8.7 and iPadOS 15.8.7 for legacy devices that cannot upgrade to newer major releases. Organizations should prioritize patching all affected Apple devices and Safari installations, especially internet-exposed user endpoints.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

AppleIpadosoperating_system

AppleIphone Osoperating_system

AppleMacosoperating_system

AppleSafariapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

49 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

49 SOURCESView more in app

socket blogNews

May 20, 2026

Coruna Respawned: Compromised art-template npm Package Leads...

A Coruna exploit chain vulnerability targeting iOS 16.2–16.5 and fixed in iOS 16.6.

breakglass intelNews

Apr 2, 2026

PLASMAGRID: Inside an iOS Exploit Kit With 6 Cloudflare Accounts, a Custom DGA, and a Coordinated Law Enforcement Takedown - Breakglass Intelligence - Breakglass Intelligence

A WebKit JIT type confusion vulnerability used in Coruna Stage 1 to achieve initial code execution in the browser renderer on iOS 16.2-16.5.1.

security affairsNews

Mar 20, 2026

Apple urges iPhone users to update as Coruna and DarkSword exploit kits emerge

A WebContent read/write exploit component in the Coruna exploit kit for iOS devices.

the hacker newsNews

Mar 18, 2026

Apple Fixes WebKit Vulnerability Enabling Same-Origin Policy Bypass on iOS and macOS

A security flaw for which Apple expanded patches; the flaw was weaponized as part of the Coruna exploit kit.

+25 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence23

Every observed campaign linking this CVE to a named adversary.

Associated malware29

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity18

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2023-43000

NVD

nvd.nist.gov/vuln/detail/CVE-2023-43000

MITRE CWE · CWE-416

Use After Free

Vendor Advisory

support.apple.com/en-us/120324

Vendor Advisory

support.apple.com/en-us/120331

Vendor Advisory

support.apple.com/en-us/120338

Vendor Advisory

support.apple.com/en-us/126632

Third Party Advisory

cloud.google.com/blog/topics/threat-intelligence/coruna-powerful-ios-exploit-kit

US Government Resource

cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-43000