⚠ Actively exploited

Added to CISA KEV on 2023-04-10. Federal agencies required to patch by 2023-05-01. Required action: Apply updates per vendor instructions..

CVE-2023-28206 — Out-of-bounds Write in Apple IOS AND Ipados

CWE-787 — Out-of-bounds Write28 documents8 sources

Severity

8.6HIGHNVD

EPSS

24.1%

top 3.92%

CISA KEV

KEV

Added 2023-04-10

Due 2023-05-01

Exploit

Exploited in wild

Active exploitation observed

Affected products

Apple IOS AND Ipados Apple Macos Apple Ipados +6 more

Timeline

PublishedApr 10

KEV addedApr 10

KEV dueMay 1

Latest updateMar 11

CISA Required Action: Apply updates per vendor instructions.

Description

An out-of-bounds write issue was addressed with improved input validation. This issue is fixed in macOS Monterey 12.6.5, iOS 16.4.1 and iPadOS 16.4.1, macOS Ventura 13.3.1, iOS 15.7.5 and iPadOS 15.7.5, macOS Big Sur 11.7.6. An app may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:HExploitability: 1.8 | Impact: 6.0

Affected Packages10 packages

▶Appleapple/macos_ventura13.3.1

▶Appleapple/macos_monterey12.6.5

▶CVEListV5apple/macosunspecified — 11.7+2

▶NVDapple/macos12.0 — 12.6.5+2

▶Appleapple/macos_big_sur11.7.6

🔴Vulnerability Details

VulnCheck

Apple iOS, iPadOS, and macOS IOSurfaceAccelerator Out-of-Bounds Write Vulnerability↗2023

▶

📋Vendor Advisories

Apple

CVE-2023-28206: macOS Monterey 12.6.5↗2023-04-10

▶

CISA

Apple iOS, iPadOS, and macOS IOSurfaceAccelerator Out-of-Bounds Write Vulnerability↗2023-04-10

▶

Apple

CVE-2023-28206: macOS Big Sur 11.7.6↗2023-04-10

▶

Apple

CVE-2023-28206: iOS 15.7.5 and iPadOS 15.7.5↗2023-04-10

▶

Apple

CVE-2023-28206: iOS 16.4.1 and iPadOS 16.4.1↗2023-04-07

▶

🕵️Threat Intelligence

Bleepingcomputer

Apple fixes WebKit zero-day exploited in ‘extremely sophisticated’ attacks↗2025-03-11

▶

Bleepingcomputer

Apple fixes zero-day exploited in 'extremely sophisticated' attacks↗2025-02-10

▶

Bleepingcomputer

Apple fixes this year’s first actively exploited zero-day bug↗2025-01-27

▶

Bleepingcomputer

Apple fixes two zero-days used in attacks on Intel-based Macs↗2024-11-19

▶

Bleepingcomputer

Apple fixes first zero-day bug exploited in attacks this year↗2024-01-22

▶