What is a Use-After-Free (UAF) in the context of WebKit?

A Use-After-Free occurs when WebKit continues to use a pointer to a memory object after that object has been deleted or freed. In CVE-2025-43529, this happens during the rendering of SVG 'use' elements when the target element is dynamically removed from the DOM.

How can an attacker exploit CVE-2025-43529?

An attacker can deliver a malicious webpage containing a specifically crafted SVG. By triggering the UAF and then spraying the heap to fill the freed memory with attacker-controlled data (like a fake vtable), the attacker can hijack the control flow and execute arbitrary code.

Which devices are affected by CVE-2025-43529?

All iOS and iPadOS devices running versions prior to 26.2 are vulnerable, as they use the affected version of the WebKit rendering engine in Safari and other third-party browsers.

Shattered Vector: Exploiting the WebKit SVG Use-After-Free (CVE-2025-43529) | Technical Tutorials

$cat snippet_webkit-svg-uaf-rce-cve-2025-43529.sh

python3 webkit_fuzzer.py --svg --output trigger.html

Executive Summary: The Fragility of the DOM

In the ecosystem of mobile security, the browser remains the most critical and frequently attacked vector. WebKit, the engine powering Safari and all iOS browsers, is a massive codebase responsible for transforming complex HTML, CSS, and SVG data into the interactive visual experience users expect.

CVE-2025-43529 is a high-severity Use-After-Free (UAF) vulnerability within WebKit's SVG (Scalable Vector Graphics) rendering component. By manipulating the lifecycle of SVG `use` elements through JavaScript, an attacker can force the engine into a state where it attempts to access a pointer to a DOM object that has already been destroyed. This memory corruption provides a primitive for arbitrary code execution (RCE) within the Safari renderer sandbox.

Technical Architecture: SVG Render Trees and the `use` Element

SVG is a XML-based vector image format. One of its most powerful features is the `use` element, which allows for the cloning and reuse of existing SVG fragments.

The Shadow Tree

When an SVG `use` element references a target element (e.g., `<use href="#myCircle" />`), WebKit creates a "Shadow Tree." This is a hidden copy of the target element's subtree that is attached to the `use` element for rendering.

The Render Cycle

The WebKit rendering process involves several stages:

DOM Tree Construction: The HTML/SVG is parsed.
Style Resolution: CSS rules are applied.
Render Tree Construction: WebKit creates a tree of objects representing the visual elements.
Layout/Painting: The positions are calculated and pixels are drawn.

The vulnerability resides in the complex synchronization between the DOM Tree and the Render Tree when the source of a `use` element is dynamically modified.

Vulnerability Root Cause: The Dangling Shadow Pointer

The root cause of CVE-2025-43529 is a failure in the `SVGUseElement` class to properly invalidate its reference to the shadow tree's render object during a specific sequence of DOM mutations.

The Trigger Scenario

The vulnerability is triggered through a "race-like" sequence in JavaScript:

Create an SVG `use` element that points to a target `<g>` (group) element.
Force a layout (e.g., by calling `getBoundingClientRect()`). This creates the Shadow Tree and the associated Render Objects.
Remove the target `<g>` element from the DOM.
Simultaneously modify a style property on the `use` element.

The Memory Corruption

When the target `<g>` is removed, the Shadow Tree should be destroyed, and all pointers to it should be nulled. However, due to the simultaneous style modification, the `SVGUseElement` enters a re-layout state where it maintains a "dangling" pointer to the now-freed Render Object of the shadow group.

When the layout engine attempts to "paint" the `use` element, it follows this dangling pointer into freed memory.

Exploitation Methodology: From UAF to RCE

Heap Spraying (JSC Cells)

To exploit a UAF, the attacker must replace the freed memory with data they control. In WebKit, the most common technique is to use JavaScript to create thousands of small objects (like `JSArray` or `ArrayBuffer` headers) that will be allocated in the same heap space as the freed Render Object.

Faking the VTable

The goal is to align a "fake object" exactly where the old Render Object was. This fake object is crafted to have a vtable (virtual function table) pointer that points back into the attacker's JavaScript heap.

$cat output.javascript[javascript]

// Simplified heap spray concept
var spray = [];
for (var i = 0; i < 10000; i++) {
    spray[i] = new Float64Array(16);
    spray[i][0] = fake_vtable_addr; // Pointing to shellcode or ROP chain
}

Triggering the Virtual Call

The attacker triggers the layout/paint cycle. WebKit follows the dangling pointer, reads the `fake_vtable_addr` from the sprayed memory, and calls a virtual function (e.g., `paint()`). This redirects the CPU to the attacker's ROP chain.

Remediation and Browser Hardening

The Technical Fix (iOS 26.2)

Apple patched this by introducing a strong reference counting mechanism for the shadow render tree. In the updated WebKit source, the `SVGUseElement` now holds a `WeakPtr` to its target, and the rendering logic explicitly checks for validity before every access.

Defensive Posture

Update to iOS 26.2+: This addresses the core logic flaw in the SVG engine.
Lockdown Mode: For high-risk users, Apple's Lockdown Mode significantly hardens WebKit by disabling JIT and restricting complex web features (including some SVG advanced behaviors), making exploitation substantially more difficult.

#CVE-2025-43529#WebKit#UAF#RCE#iOS#Safari#SVG