⚠ Actively exploited

Added to CISA KEV on 2023-06-23. Federal agencies required to patch by 2023-07-14. Required action: Apply updates per vendor instructions..

CVE-2023-32439 — Type Confusion in Apple IOS AND Ipados

CWE-843 — Type Confusion CWE-94 — Code Injection30 documents12 sources

Severity

8.8HIGHNVD

EPSS

1.2%

top 21.38%

CISA KEV

KEV

Added 2023-06-23

Due 2023-07-14

Exploit

Exploited in wild

Active exploitation observed

Affected products

Apple IOS AND Ipados Apple Macos Apple Safari +3 more

Timeline

PublishedJun 23

KEV addedJun 23

KEV dueJul 14

Latest updateMar 11

CISA Required Action: Apply updates per vendor instructions.

Description

A type confusion issue was addressed with improved checks. This issue is fixed in iOS 16.5.1 and iPadOS 16.5.1, iOS 15.7.7 and iPadOS 15.7.7, macOS Ventura 13.4.1, Safari 16.5.1. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages8 packages

▶NVDapple/ipados16.0 — 16.5.1+1

▶CVEListV5apple/ios_and_ipadosunspecified — 15.7+1

▶CVEListV5apple/macosunspecified — 13.4

▶NVDapple/macos13.0 — 13.4.1

▶CVEListV5apple/safariunspecified — 16.5

🔴Vulnerability Details

GHSA

GHSA-rh53-wvg6-9v8m: A type confusion issue was addressed with improved checks↗2023-06-23

▶

CVEList

CVE-2023-32439: A type confusion issue was addressed with improved checks↗2023-06-23

▶

OSV

CVE-2023-32439: A type confusion issue was addressed with improved checks↗2023-06-23

▶

VulnCheck

Apple Multiple Products WebKit Type Confusion Vulnerability↗2023

▶

📋Vendor Advisories

Red Hat

webkitgtk: processing malicious web content may lead to arbitrary code execution↗2023-09-21

▶

Ubuntu

WebKitGTK vulnerabilities↗2023-07-31

▶

Red Hat

webkitgtk: type confusion issue leading to arbitrary code execution↗2023-06-29

▶

CISA

Apple Multiple Products WebKit Type Confusion Vulnerability↗2023-06-23

▶

Apple

CVE-2023-32439: Safari 16.5.1↗2023-06-21

▶

🕵️Threat Intelligence

Bleepingcomputer

Apple fixes WebKit zero-day exploited in ‘extremely sophisticated’ attacks↗2025-03-11

▶

Bleepingcomputer

Apple fixes zero-day exploited in 'extremely sophisticated' attacks↗2025-02-10

▶

Bleepingcomputer

Apple fixes this year’s first actively exploited zero-day bug↗2025-01-27

▶

Bleepingcomputer

Apple fixes two zero-days used in attacks on Intel-based Macs↗2024-11-19

▶

Bleepingcomputer

Apple fixes first zero-day bug exploited in attacks this year↗2024-01-22

▶