cbcvebase.
CVE-2023-28206
published 2023-04-10

CVE-2023-28206: An out-of-bounds write issue was addressed with improved input validation. This issue is fixed in macOS Monterey 12.6.5, iOS 16.4.1 and iPadOS 16.4.1, macOS…

PriorityP186high8.6CVSS 3.1
AVLACLPRNUIRSCCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2023-05-01
Exploited in the wild
EPSS
24.51%
97.6th percentile
An out-of-bounds write issue was addressed with improved input validation. This issue is fixed in macOS Monterey 12.6.5, iOS 16.4.1 and iPadOS 16.4.1, macOS Ventura 13.3.1, iOS 15.7.5 and iPadOS 15.7.5, macOS Big Sur 11.7.6. An app may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.

Affected

17 ranges
VendorProductVersion rangeFixed in
appleios_15.7.5_and_ipados
appleios_16.4.1_and_ipados
appleios_and_ipados>= unspecified < 15.715.7
appleios_and_ipados>= unspecified < 16.416.4
appleipados< 15.7.515.7.5
appleipados>= 16.0 < 16.4.116.4.1
appleiphone_os< 15.7.515.7.5
appleiphone_os>= 16.0 < 16.4.116.4.1
applemacos< 11.7.611.7.6
applemacos>= 12.0 < 12.6.512.6.5
applemacos>= 13.0 < 13.3.113.3.1
applemacos>= unspecified < 11.711.7
applemacos>= unspecified < 12.612.6
applemacos>= unspecified < 13.313.3
applemacos_big_sur
applemacos_monterey
applemacos_ventura

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2023-28206 is an out-of-bounds write vulnerability in the IOSurfaceAccelerator component on Apple iOS, iPadOS, and macOS, exploitable by a malicious app to achieve arbitrary code execution with kernel privileges. Detection should focus on anomalous app behavior triggering IOSurfaceAccelerator kernel interactions.
  • The vulnerability was actively exploited in the wild prior to patching. Prioritize detection of exploitation attempts on unpatched Apple devices running iOS/iPadOS below 16.4.1, 15.7.5, and macOS below Monterey 12.6.5, Ventura 13.3.1, and Big Sur 11.7.6.
  • CVE-2023-28206 was exploited in the wild alongside CVE-2023-28205 (WebKit). Detections should consider chained exploitation scenarios where a WebKit/browser-based initial access (CVE-2023-28205) is followed by a kernel privilege escalation via IOSurfaceAccelerator (CVE-2023-28206).
  • ·The vulnerable component is IOSurfaceAccelerator, a kernel-level graphics/surface management component present across Apple platforms (iOS, iPadOS, macOS). The out-of-bounds write is triggered via an app with insufficient input validation in this component.
  • ·The vulnerability affects multiple Apple OS versions and was patched in two waves: first for current devices (iOS 16.4.1, iPadOS 16.4.1, macOS Ventura 13.3.1), then for older hardware (iOS 15.7.5, iPadOS 15.7.5, macOS Monterey 12.6.5, macOS Big Sur 11.7.6). Detection scope must cover all affected platform versions.

CVSS provenance

nvdv3.18.6HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
vulncheck8.6HIGH
cisa8.6HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.