⚠ Actively exploited

Added to CISA KEV on 2023-02-14. Federal agencies required to patch by 2023-03-07. Required action: Apply updates per vendor instructions..

CVE-2023-23529 — Type Confusion in Apple IOS AND Ipados

CWE-843 — Type Confusion CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer35 documents13 sources

Severity

8.8HIGHNVD

EPSS

0.1%

top 74.04%

CISA KEV

KEV

Added 2023-02-14

Due 2023-03-07

Exploit

Exploited in wild

Active exploitation observed

Affected products

Apple IOS AND Ipados Apple Macos Apple Safari +2 more

Timeline

KEV addedFeb 14

PublishedFeb 27

KEV dueMar 7

Latest updateMar 11

CISA Required Action: Apply updates per vendor instructions.

Description

A type confusion issue was addressed with improved checks. This issue is fixed in iOS 15.7.4 and iPadOS 15.7.4, iOS 16.3.1 and iPadOS 16.3.1, macOS Ventura 13.2.1, Safari 16.3. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages7 packages

▶NVDapple/ipados16.0 — 16.3.1+1

▶CVEListV5apple/ios_and_ipadosunspecified — 16.3+1

▶CVEListV5apple/macosunspecified — 13.2

▶NVDapple/macos13.0 — 13.2.1

▶CVEListV5apple/safariunspecified — 16.3

🔴Vulnerability Details

OSV

CVE-2023-23529: A type confusion issue was addressed with improved checks↗2023-02-27

▶

GHSA

GHSA-c5hw-5p2j-xqg7: A type confusion issue was addressed with improved checks↗2023-02-27

▶

CVEList

CVE-2023-23529: A type confusion issue was addressed with improved checks↗2023-02-27

▶

VulnCheck

Apple Multiple Products WebKit Type Confusion Vulnerability↗2023

▶

📋Vendor Advisories

Apple

CVE-2023-23529: iOS 15.7.4 and iPadOS 15.7.4↗2023-03-27

▶

Ubuntu

WebKitGTK vulnerabilities↗2023-02-27

▶

CISA

Apple Multiple Products WebKit Type Confusion Vulnerability↗2023-02-14

▶

Red Hat

webkitgtk: processing maliciously crafted web content may be exploited for arbitrary code execution↗2023-02-13

▶

Apple

CVE-2023-23529: Safari 16.3↗2023-02-13

▶

🕵️Threat Intelligence

Bleepingcomputer

Apple fixes WebKit zero-day exploited in ‘extremely sophisticated’ attacks↗2025-03-11

▶

Bleepingcomputer

Apple fixes zero-day exploited in 'extremely sophisticated' attacks↗2025-02-10

▶

Bleepingcomputer

Apple fixes this year’s first actively exploited zero-day bug↗2025-01-27

▶

Bleepingcomputer

Apple fixes two zero-days used in attacks on Intel-based Macs↗2024-11-19

▶

Bleepingcomputer

Apple fixes first zero-day bug exploited in attacks this year↗2024-01-22

▶