⚠ Actively exploited

Added to CISA KEV on 2023-05-22. Federal agencies required to patch by 2023-06-12. Required action: Apply updates per vendor instructions..

CVE-2023-28204 — Out-of-bounds Read in Apple IOS AND Ipados

CWE-125 — Out-of-bounds Read CWE-20 — Improper Input Validation35 documents13 sources

Severity

6.5MEDIUMNVD

EPSS

0.1%

top 78.42%

CISA KEV

KEV

Added 2023-05-22

Due 2023-06-12

Exploit

Exploited in wild

Active exploitation observed

Affected products

Apple IOS AND Ipados Apple Macos Apple Safari +5 more

Timeline

KEV addedMay 22

KEV dueJun 12

PublishedJun 23

Latest updateMar 11

CISA Required Action: Apply updates per vendor instructions.

Description

An out-of-bounds read was addressed with improved input validation. This issue is fixed in watchOS 9.5, tvOS 16.5, macOS Ventura 13.4, iOS 15.7.6 and iPadOS 15.7.6, Safari 16.5, iOS 16.5 and iPadOS 16.5. Processing web content may disclose sensitive information. Apple is aware of a report that this issue may have been actively exploited.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages12 packages

▶NVDapple/ipados16.0 — 16.5+1

▶CVEListV5apple/ios_and_ipadosunspecified — 15.7+1

▶CVEListV5apple/tvosunspecified — 16.5

▶NVDapple/tvos< 16.5

▶CVEListV5apple/macosunspecified — 13.4

🔴Vulnerability Details

GHSA

GHSA-m85j-wjrj-c4rg: An out-of-bounds read was addressed with improved input validation↗2023-06-23

▶

OSV

CVE-2023-28204: An out-of-bounds read was addressed with improved input validation↗2023-06-23

▶

CVEList

CVE-2023-28204: An out-of-bounds read was addressed with improved input validation↗2023-06-23

▶

VulnCheck

Apple Multiple Products WebKit Out-of-Bounds Read Vulnerability↗2023

▶

📋Vendor Advisories

Ubuntu

WebKitGTK vulnerabilities↗2023-07-31

▶

CISA

Apple Multiple Products WebKit Out-of-Bounds Read Vulnerability↗2023-05-22

▶

Red Hat

webkitgtk: an out-of-bounds read when processing malicious content↗2023-05-22

▶

Apple

CVE-2023-28204: tvOS 16.5↗2023-05-18

▶

Apple

CVE-2023-28204: iOS 16.5 and iPadOS 16.5↗2023-05-18

▶

🕵️Threat Intelligence

Bleepingcomputer

Apple fixes WebKit zero-day exploited in ‘extremely sophisticated’ attacks↗2025-03-11

▶

Bleepingcomputer

Apple fixes zero-day exploited in 'extremely sophisticated' attacks↗2025-02-10

▶

Bleepingcomputer

Apple fixes this year’s first actively exploited zero-day bug↗2025-01-27

▶

Bleepingcomputer

Apple fixes two zero-days used in attacks on Intel-based Macs↗2024-11-19

▶

Bleepingcomputer

Apple fixes first zero-day bug exploited in attacks this year↗2024-01-22

▶