HighCISA KEVExploited in the wildPublic exploit

WebKit Use-After-Free in Apple Safari, iOS, iPadOS, and macOS

IdentifiersCVE-2023-43000CWE-416· Use After FreeAlso known asterrorbird

CVE-2023-43000 is a use-after-free vulnerability in Apple WebKit. Apple states the issue was addressed with improved memory management. When WebKit processes maliciously crafted web content, stale object references can be dereferenced after the underlying memory has been freed, leading to memory corruption. The flaw affects Apple platforms that use WebKit for web content rendering, including macOS Ventura prior to 13.5, iOS prior to 16.6, iPadOS prior to 16.6, and Safari prior to 16.6, with later backported fixes also released for iOS 15.8.7 and iPadOS 15.8.7. Reporting in the provided content further indicates the vulnerability was used as a WebKit initial-access/browser-renderer exploit in the Coruna exploit kit, where it was referred to as "terrorbird."

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation may cause memory corruption in the WebKit content-processing context. The provided content indicates this can result in application instability or crashes and may potentially be leveraged for arbitrary code execution in the context of the affected application, such as Safari or another app embedding WebKit. In observed exploit chains, CVE-2023-43000 was used as an initial browser compromise primitive and could enable deeper device compromise when chained with additional sandbox escape and privilege-escalation vulnerabilities.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure to untrusted web content on affected devices. Practical mitigations supported by the content include enabling Lockdown Mode, which Apple states blocks Coruna-related attacks, and relying on Safari Safe Browsing to help block known malicious domains. Additional defensive measures include restricting browsing to trusted sites, minimizing use of vulnerable legacy devices, and discontinuing use of unsupported or unpatchable systems where official fixes cannot be applied.

Remediation

Patch, then assume compromise.

Apply Apple security updates that include the fix for CVE-2023-43000. The content states the issue is fixed in macOS Ventura 13.5, iOS 16.6, iPadOS 16.6, Safari 16.6, and later backported updates including iOS 15.8.7 and iPadOS 15.8.7 for legacy devices. Organizations should ensure all supported Apple devices and Safari installations are updated to a version containing Apple’s improved memory-management fix.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

AppleIpadosoperating_system

AppleIphone Osoperating_system

AppleMacosoperating_system

AppleSafariapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

50 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

50 SOURCESView more in app

socket blogNews

May 20, 2026

Coruna Respawned: Compromised art-template npm Package Leads...

A Coruna exploit chain vulnerability targeting iOS 16.2–16.5 and fixed in iOS 16.6.

breakglass intelNews

Apr 2, 2026

PLASMAGRID: Inside an iOS Exploit Kit With 6 Cloudflare Accounts, a Custom DGA, and a Coordinated Law Enforcement Takedown - Breakglass Intelligence - Breakglass Intelligence

A WebKit JIT type confusion vulnerability used in Coruna Stage 1 to achieve initial code execution in the browser renderer on iOS 16.2-16.5.1.

security affairsNews

Mar 20, 2026

Apple urges iPhone users to update as Coruna and DarkSword exploit kits emerge

A WebContent read/write exploit component in the Coruna exploit kit for iOS devices.

the hacker newsNews

Mar 18, 2026

Apple Fixes WebKit Vulnerability Enabling Same-Origin Policy Bypass on iOS and macOS

A security flaw for which Apple expanded patches; the flaw was weaponized as part of the Coruna exploit kit.

+26 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence23

Every observed campaign linking this CVE to a named adversary.

Associated malware29

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity18

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2023-43000

NVD

nvd.nist.gov/vuln/detail/CVE-2023-43000

MITRE CWE · CWE-416

Use After Free

Vendor Advisory

support.apple.com/en-us/120324

Vendor Advisory

support.apple.com/en-us/120331

Vendor Advisory

support.apple.com/en-us/120338

Vendor Advisory

support.apple.com/en-us/126632

Third Party Advisory

cloud.google.com/blog/topics/threat-intelligence/coruna-powerful-ios-exploit-kit

US Government Resource

cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-43000