CVE-2023-43010: WebKit Memory Corruption Vulnerability Exploited in Coruna Attack Chains

Apple has released critical security patches addressing CVE-2023-43010, a WebKit memory corruption vulnerability that has become a central component of one of the most sophisticated iOS exploit kits ever documented. Originally patched in iOS 17.2 in December 2023, this vulnerability has resurfaced with renewed urgency after Google's Threat Intelligence Group revealed its integration into Coruna, a multi-chain exploit framework capable of achieving full device compromise on iPhones running iOS 13.0 through 17.2.1. Apple has now backported fixes to legacy devices through iOS 16.7.15 and iOS 15.8.7, but the technical implications of this vulnerability and its exploitation chain deserve close examination by every security-conscious developer and system administrator.

Understanding CVE-2023-43010: The WebKit Memory Corruption Flaw

CVE-2023-43010 is a memory handling vulnerability in WebKit, the browser engine that powers Safari and every third-party browser on iOS. Apple's official description states the issue was "addressed with improved memory handling," which typically indicates a flaw in how WebKit allocates, accesses, or deallocates memory regions during the processing of web content.

When a user visits a webpage containing maliciously crafted content, the vulnerability allows an attacker to trigger memory corruption within the WebKit rendering process. In practical terms, this means an attacker can manipulate memory in ways the application does not expect, potentially overwriting critical data structures, corrupting function pointers, or hijacking the execution flow of the browser process.

Why Memory Corruption in WebKit Matters

WebKit processes enormous amounts of untrusted input: HTML, CSS, JavaScript, images, fonts, and media from arbitrary websites. Every parsing operation represents a potential attack surface. Memory corruption vulnerabilities in this context are particularly dangerous because they provide the initial foothold for remote code execution (RCE) without any user interaction beyond visiting a webpage.

Consider a scenario where an enterprise deploys iPads as point-of-sale terminals in retail locations. These devices browse supplier portals, payment gateways, and internal dashboards. A single compromised website in that browsing chain could exploit CVE-2023-43010 to execute arbitrary code within the Safari sandbox, the first step toward full device takeover.

From a performance perspective, memory corruption bugs in WebKit are especially problematic because the engine is designed for speed. WebKit aggressively optimizes memory allocation and object lifecycle management to deliver fast page rendering. These optimizations sometimes create narrow windows where memory states become inconsistent, and sophisticated attackers like those behind Coruna specifically target these transient states.

The Coruna Exploit Kit: Anatomy of a Sophisticated Threat

What elevates CVE-2023-43010 from a standard WebKit patch to a critical security event is its role within Coruna (also known as CryptoWaters), an advanced exploit kit identified by Google's Threat Intelligence Group. Coruna represents a level of sophistication rarely seen in publicly documented exploit frameworks, containing 23 individual exploits organized into five complete attack chains that target every major iOS version from 13.0 to 17.2.1.

The Five Attack Chains

Each chain in Coruna targets a specific iOS version range and combines multiple vulnerability classes to progress from initial browser compromise to full device control:

CVE-2023-43010 serves as a supporting vulnerability within these chains, providing memory corruption primitives that enable transitions between exploitation stages. The deliberate reuse of vulnerability primitives across chains demonstrates the modular engineering approach behind Coruna.

Six-Stage Exploitation Workflow

Coruna operates through a precisely orchestrated sequence of six stages, each building on the previous one to escalate from a simple webpage visit to full device compromise:

1. Device Fingerprinting: An embedded JavaScript framework identifies the iPhone model, iOS version, and browser configuration. The framework explicitly skips execution when Apple Lockdown Mode or private browsing is detected.
2. WebKit Remote Code Execution: The selected WebKit vulnerability (such as CVE-2023-43010 or CVE-2024-23222) achieves arbitrary code execution within the browser sandbox.
3. ASLR Bypass: Address Space Layout Randomization protections are circumvented to locate critical memory addresses needed for subsequent stages.
4. Sandbox Escape: Safari's sandbox isolation is defeated, granting access to system resources beyond the browser process boundary.
5. PAC Bypass and Kernel Access: Pointer Authentication Code protections on Apple Silicon are bypassed, and kernel-level vulnerabilities (CVE-2023-32434, CVE-2023-38606) provide full system control.
6. Implant Delivery: The PlasmaLoader (PLASMAGRID) binary is deployed for persistent access, enabling cryptocurrency wallet theft, QR code interception, and command-and-control communication.

Affected Devices and Software Versions

The scope of affected devices is extensive, particularly for organizations managing legacy Apple hardware. Understanding which devices remain vulnerable is critical for prioritizing patch deployment.

iOS 15.8.7 and iPadOS 15.8.7

• iPhone 6s (all models)
• iPhone 7 (all models)
• iPhone SE (1st generation)
• iPad Air 2
• iPad mini (4th generation)
• iPod touch (7th generation)

iOS 16.7.15 and iPadOS 16.7.15

• iPhone 8 and 8 Plus
• iPhone X
• iPad 5th generation
• iPad Pro (earlier models)

Additional Patched Platforms

• macOS Sonoma 14.2
• Safari 17.2

From a scalability perspective, enterprises managing hundreds or thousands of legacy iOS devices face significant patch deployment challenges. Mobile Device Management (MDM) solutions must prioritize these updates, particularly for devices that cannot upgrade beyond iOS 16 and remain permanently vulnerable without the backported patches.

How WebKit Memory Corruption Exploits Work

Understanding the technical mechanics of WebKit memory corruption is essential for developers who build web-facing applications and security engineers who assess browser-based threats.

The Memory Corruption Primitive

WebKit, like all complex rendering engines, manages thousands of dynamically allocated objects during page rendering. Memory corruption occurs when the engine incorrectly handles the lifecycle of these objects. The most common vulnerability classes exploited in Coruna include:

• Use-After-Free (UAF): The engine accesses a memory region after it has been freed, allowing an attacker to place controlled data in the freed region and hijack subsequent operations. CVE-2023-43000 (terrorbird) exploits this pattern.
• Type Confusion: The engine treats an object as a different type than intended, enabling read or write operations outside intended bounds. CVE-2024-23222 (cassowary) uses this approach.
• Improper Memory Handling: Broadly covers flaws in allocation, deallocation, or access patterns that lead to corruption of adjacent memory regions. CVE-2023-43010 falls into this category.

From Corruption to Code Execution

A memory corruption vulnerability alone does not immediately grant code execution. Attackers must chain it with additional techniques to achieve reliable exploitation:

1. Heap Spraying: Filling large portions of memory with controlled data to make the corruption outcome predictable rather than random.
2. ROP/JOP Chains: Reusing existing code fragments (gadgets) within the application to construct an execution sequence without injecting new code, bypassing W^X protections.
3. JIT Abuse: Leveraging WebKit's JavaScript JIT compiler to place attacker-controlled machine code in executable memory regions, turning the JIT compiler into an unintentional code injection mechanism.

This multi-step process explains why exploit kits like Coruna require such extensive engineering. Each step must work reliably across different device models and iOS versions, and a single failure at any stage causes the entire chain to collapse silently.

Threat Actors Exploiting Coruna

The Coruna framework has been attributed to at least two distinct threat actor groups, each with different motivations and targeting patterns. This dual-use scenario highlights a growing trend in the exploit marketplace where sophisticated tooling circulates between state-sponsored and financially motivated operators.

UNC6353: State-Sponsored Espionage

UNC6353, a suspected Russian state-aligned espionage group, was detected deploying Coruna in July 2025 through compromised Ukrainian websites. Their operational characteristics include:

• Geolocation-restricted payload delivery targeting specific geographic regions
• Compromise of Ukrainian industrial and retail websites as delivery vectors
• Use of the domain cdn.uacounter[.]com for exploit serving
• Primary exploitation of CVE-2024-23222, CVE-2022-48503, and CVE-2023-43000

This campaign represents a real-world architecture scenario where legitimate business websites become silent vectors for state-level cyber espionage. An employee visiting a compromised supplier portal on an unpatched iPhone could unknowingly have their device fully compromised, with all communications, credentials, and sensitive data exfiltrated to adversary infrastructure.

UNC6691: Financially Motivated Attacks

UNC6691, a financially motivated actor believed to operate from China, began using Coruna in December 2025 with a focus on cryptocurrency theft:

• Unrestricted geolocation targeting with global attack scope
• Deployment through fake cryptocurrency and financial services websites
• PlasmaLoader implant configured specifically for wallet data exfiltration
• Targeting of MetaMask, Exodus, Base, and Bitget Wallet applications
• Custom domain generation algorithm (DGA) using the seed "lazarus" to generate .xyz domains for command-and-control infrastructure

Common Security Mistakes That Amplify the Risk

Security professionals and developers frequently underestimate the risk of browser-based exploitation on mobile devices. The following mistakes significantly amplify exposure to threats like Coruna:

1. Assuming Safari sandboxing provides adequate protection: The Coruna kit demonstrates that sandbox escapes are actively exploited in the wild. Relying solely on browser sandboxing as a security boundary is insufficient against sophisticated attackers who have invested in dedicated sandbox escape exploits.
2. Neglecting legacy device patch management: Many organizations continue using iPhone 6s, 7, and 8 models for specific business functions without enforcing timely security updates. These devices are now primary targets for Coruna, and the extended delay between initial patch availability (December 2023) and backport delivery (March 2026) left a significant exposure window.
3. Ignoring WebKit's universal attack surface on iOS: On iOS, every browser (Chrome, Firefox, Edge, Brave) uses WebKit as its rendering engine. Switching browsers provides zero additional protection against WebKit vulnerabilities. This architectural decision by Apple means a single WebKit flaw affects the entire iOS browser ecosystem.
4. Not enabling Lockdown Mode for high-risk users: Apple's Lockdown Mode effectively blocks Coruna's device fingerprinting stage. The framework explicitly skips execution when Lockdown Mode is detected, yet adoption remains low even among targeted populations such as journalists, activists, and government officials.

Mitigation Strategies and Defensive Recommendations

Protecting against CVE-2023-43010 and the broader Coruna threat requires a layered defensive approach combining immediate patching, architectural controls, and long-term strategy.

Immediate Actions

• Update all Apple devices immediately: Install iOS 15.8.7, iOS 16.7.15, iOS 17.2 or later, macOS Sonoma 14.2, or Safari 17.2
• Enable Lockdown Mode for executives, journalists, activists, and anyone at elevated risk of targeted exploitation
• Audit your device fleet: Identify all devices running iOS versions between 13.0 and 17.2.1 and prioritize their immediate update or retirement

Architectural Defenses

• Implement network-level URL filtering to block known Coruna delivery domains (over 50 domains identified by Google TAG)
• Deploy Mobile Threat Defense (MTD) solutions capable of detecting exploit delivery attempts and anomalous browser behavior
• Enforce MDM policies that require minimum OS versions and block access to corporate resources from unpatched devices
• Monitor for indicators of compromise: hidden iFrames with zero dimensions, self-contained HTML payloads (group.html, analytics.html), and unusual JavaScript fingerprinting activity

Long-Term Strategy

• Establish a device lifecycle policy that retires hardware before it falls out of Apple's active security update support window
• Adopt Zero Trust architecture where device health, including OS version and patch status, is continuously verified before granting access to any resource
• Conduct regular threat intelligence reviews to stay informed about exploit kits targeting your device fleet and adjust defenses accordingly

Comparison: CVE-2023-43010 vs. Related WebKit Vulnerabilities in Coruna

This comparison reveals a critical insight: while CVE-2023-43010 received its initial patch in December 2023, the backport to legacy devices did not arrive until March 2026, leaving a vulnerability window of over two years for devices that could not upgrade to iOS 17.

Frequently Asked Questions

What exactly does CVE-2023-43010 allow an attacker to do?

CVE-2023-43010 enables an attacker to corrupt memory within the WebKit rendering engine by delivering maliciously crafted web content. When exploited as part of the Coruna chain, this memory corruption serves as the initial step toward achieving remote code execution, sandbox escape, and ultimately full device compromise including data exfiltration and persistent implant installation.

Am I protected if I use Chrome or Firefox instead of Safari on my iPhone?

No. Apple requires all iOS browsers to use the WebKit engine. Chrome, Firefox, Edge, and every other browser on iOS are essentially WebKit wrappers with different user interfaces. A WebKit vulnerability like CVE-2023-43010 affects every browser on iOS equally, regardless of the brand or vendor.

Does Apple Lockdown Mode protect against Coruna?

Yes. Google's analysis confirmed that Coruna's device fingerprinting module explicitly checks for Lockdown Mode and aborts execution when it is enabled. This makes Lockdown Mode one of the most effective mitigations against this specific threat, though it does impose usability restrictions such as blocking certain web technologies and limiting attachment types.

Which devices are most at risk from this vulnerability?

Devices running iOS versions between 13.0 and 17.1 that have not received the latest security updates are most vulnerable. Legacy devices such as iPhone 6s, 7, 8, and X are particularly at risk because users often delay or skip updates on older hardware. Apple's backported patches (iOS 15.8.7 and 16.7.15) now cover these devices, but they must be manually or MDM-deployed.

Has CISA issued any guidance about this vulnerability?

Yes. CISA has mandated that federal agencies complete patching for CVE-2021-30952, CVE-2023-41974, and CVE-2023-43000 (all part of the Coruna exploit kit) by March 26, 2026. Organizations that follow CISA guidance should treat this as a high-priority patching requirement across their entire Apple device fleet.

Conclusion

CVE-2023-43010 serves as a stark reminder that browser engine vulnerabilities remain one of the most potent attack vectors in mobile security. The Coruna exploit kit's ability to chain 23 vulnerabilities across five complete attack paths demonstrates that sophisticated threat actors invest heavily in weaponizing every available WebKit flaw. For organizations managing Apple device fleets, the priority is clear: patch immediately, enforce minimum OS version policies, and enable Lockdown Mode for high-risk users. The window between vulnerability disclosure and active exploitation continues to shrink, and the two-year gap before legacy device backports arrived made millions of devices targets for both state-sponsored espionage and financial crime.

Review your organization's mobile device inventory today. Verify that all devices have received the latest security patches. Evaluate whether legacy devices still meet your security requirements or whether retirement is the safer path. The cost of a compromised device, both in data loss and in the erosion of user trust, far exceeds the investment in proactive patch management and device lifecycle planning.

References

• CVE-2023-43010: WebKit Memory Corruption — National Vulnerability Database (NVD)
• About the security content of iOS 15.8.7 and iPadOS 15.8.7 — Apple Support
• About the security content of iOS 16.7.15 and iPadOS 16.7.15 — Apple Support
• Coruna: The Mysterious Journey of a Powerful iOS Exploit Kit — Google Cloud Blog (GTIG)
• Coruna framework: an exploit kit and ties to Operation Triangulation — Kaspersky Securelist
• Inside Coruna — Web Script iOS Exploit — cside Blog
• CVE-2024-23222: WebKit Type Confusion — NVD
• CVE-2023-43000: WebKit Use-After-Free — NVD
• CVE-2023-32434: XNU Kernel Integer Overflow — NVD
• CVE-2023-38606: Kernel State Modification — NVD
• CISA Adds Five Known Exploited Vulnerabilities to Catalog (March 5, 2026) — CISA
• CVE-2020-27930: Safari RCE in Type 1 fonts — Google Project Zero