What happened

CISA added CVE-2023-43000 to the Known Exploited Vulnerabilities (KEV) catalog on 2026-03-05, assigning a remediation due date of 2026-03-26 for U.S. federal enterprises and directing organizations to apply vendor mitigations or discontinue use if unavailable (CISA KEV). The entry describes a use-after-free flaw affecting Apple multiple products where processing maliciously crafted web content can lead to memory corruption (CISA KEV, NVD CVE-2023-43000). Affected platforms are listed as Apple macOS, iOS, iPadOS, and Safari 16.6 under the vendor’s “Multiple Products” umbrella (CISA KEV).

CVE-2023-43000 is tracked by NIST with a weakness classification of CWE-416 (use-after-free), aligning with the memory corruption behavior noted by the KEV entry (NVD CVE-2023-43000). The MITRE CVE record mirrors the registration of this identifier, confirming the issue’s canonical status in public vulnerability inventories (MITRE CVE).

Why it matters

Inclusion in KEV signals confirmed exploitation in the wild, raising the priority for immediate remediation across environments that render untrusted web content (CISA KEV). Browser- and web-content-triggered memory corruption defects offer a direct path to user compromise because they are activated by visiting hostile or compromised pages, requiring minimal user interaction (NVD CVE-2023-43000). For Apple fleets that share browsing stacks across macOS, iOS, and iPadOS, one vulnerable component can expose a broad user base to the same class of exploit delivery via maliciously crafted content (CISA KEV).

CVE-2023-43000’s categorization as use-after-free (CWE-416) means improper lifetime management of objects can enable attackers to manipulate freed memory, often resulting in corruption when the memory is re-used (NVD CVE-2023-43000). While impact specifics are vendor-advisory territory, the combination of known exploitation and a browser-reachable trigger elevates operational risk until patches are applied (CISA KEV).

Technical detail

The vulnerability is a use-after-free (CWE-416), where code continues to access memory after it has been freed, creating conditions for memory corruption when that memory region is subsequently reallocated or manipulated (NVD CVE-2023-43000). In this case, the trigger is the processing of maliciously crafted web content, indicating a remote, data-driven vector delivered through the browser or embedded web views (CISA KEV, NVD CVE-2023-43000). The fault manifests as memory corruption, a hallmark outcome for this weakness class, and aligns with the CWE designation on the NVD entry (NVD CVE-2023-43000).

CISA’s KEV inclusion captures two operationally relevant data points: a firm due date for remediation and an explicit required action to apply mitigations per vendor instructions or discontinue product use where mitigations are unavailable (CISA KEV). The KEV program’s scope focuses on vulnerabilities with evidence of exploitation, which places this issue into the must-patch-now class for defenders responsible for Apple endpoints that actively render untrusted web content (CISA KEV).

Defense

Primary action is straightforward: apply vendor mitigations/updates immediately, aligning with the KEV-required action for this CVE (CISA KEV). For organizations bound by Binding Operational Directive 22-01, meet the March 26, 2026 remediation date established by the catalog for CVE-2023-43000 (CISA KEV). Because the trigger is maliciously crafted web content, prioritize patch deployment to devices and user profiles that regularly access untrusted sites and services while the update window remains open (NVD CVE-2023-43000).

Inventory and validate exposure by CVE across Apple macOS, iOS, iPadOS, and Safari 16.6 where applicable under your management scope, then verify closure by build/version after update rollout, using the KEV entry as the authoritative tracking reference for due dates and required actions (CISA KEV).

Lyrie Verdict

CVE-2023-43000 is being exploited and is web-delivered. This is high-velocity tradecraft—patch first, then verify. Lyrie ingests the KEV feed continuously, elevates newly added entries like CVE-2023-43000 to enforced patch SLOs, and auto-generates exposure and due-date compliance views mapped to KEV metadata (CISA KEV). We cross-link KEV signals with the NVD record to anchor CWE and impact context for routing and prioritization at machine speed (NVD CVE-2023-43000).

Against rogue-AI-driven phishing, malvertising, or automated lure infrastructure, web-content bugs are the low-latency delivery vector. Lyrie’s stance is to remove the window: as soon as KEV confirms exploitation for a browser-reachable flaw, we trigger autonomous controls to tighten patch SLOs, block exceptions, and verify closure—no analyst in the loop for the decision to remediate (CISA KEV). That is how you outpace automated adversaries: policy and enforcement keyed to authoritative vulnerability intelligence, executed at machine speed.