⚠ Actively exploited

Added to CISA KEV on 2023-06-23. Federal agencies required to patch by 2023-07-14. Required action: Apply updates per vendor instructions..

CVE-2023-32435 — Out-of-bounds Write in Apple IOS AND Ipados

CWE-787 — Out-of-bounds Write CWE-94 — Code Injection35 documents14 sources

Severity

8.8HIGHNVD

EPSS

0.2%

top 53.74%

CISA KEV

KEV

Added 2023-06-23

Due 2023-07-14

Exploit

Exploited in wild

Active exploitation observed

Affected products

Apple IOS AND Ipados Apple Macos Apple Safari +2 more

Timeline

PublishedJun 23

KEV addedJun 23

KEV dueJul 14

Latest updateMar 11

CISA Required Action: Apply updates per vendor instructions.

Description

A memory corruption issue was addressed with improved state management. This issue is fixed in macOS Ventura 13.3, Safari 16.4, iOS 16.4 and iPadOS 16.4, iOS 15.7.7 and iPadOS 15.7.7. Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages7 packages

▶NVDapple/ipados16.0 — 16.4+1

▶CVEListV5apple/ios_and_ipadosunspecified — 15.7+1

▶CVEListV5apple/macosunspecified — 13.3

▶NVDapple/macos13.0 — 13.3

▶CVEListV5apple/safariunspecified — 16.4

🔴Vulnerability Details

GHSA

GHSA-xqxr-jq6f-63f9: A memory corruption issue was addressed with improved state management↗2023-06-23

▶

CVEList

CVE-2023-32435: A memory corruption issue was addressed with improved state management↗2023-06-23

▶

OSV

CVE-2023-32435: A memory corruption issue was addressed with improved state management↗2023-06-23

▶

VulnCheck

Apple Multiple Products WebKit Memory Corruption Vulnerability↗2023

▶

📋Vendor Advisories

Red Hat

webkitgtk: processing malicious web content may lead to arbitrary code execution↗2023-09-21

▶

Ubuntu

WebKitGTK vulnerabilities↗2023-07-31

▶

Red Hat

webkitgtk: memory corruption issue leading to arbitrary code execution↗2023-06-29

▶

CISA

Apple Multiple Products WebKit Memory Corruption Vulnerability↗2023-06-23

▶

Apple

CVE-2023-32435: iOS 15.7.7 and iPadOS 15.7.7↗2023-06-21

▶

🕵️Threat Intelligence

Bleepingcomputer

Apple fixes WebKit zero-day exploited in ‘extremely sophisticated’ attacks↗2025-03-11

▶

Bleepingcomputer

Apple fixes zero-day exploited in 'extremely sophisticated' attacks↗2025-02-10

▶

Bleepingcomputer

Apple fixes this year’s first actively exploited zero-day bug↗2025-01-27

▶

Bleepingcomputer

Apple fixes two zero-days used in attacks on Intel-based Macs↗2024-11-19

▶

Bleepingcomputer

Apple fixes first zero-day bug exploited in attacks this year↗2024-01-22

▶