⚠ Actively exploited
Added to CISA KEV on 2023-09-11. Federal agencies required to patch by 2023-10-02. Required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable..

CVE-2023-41061Improper Input Validation in Apple IOS AND Ipados

CWE-20Improper Input ValidationCWE-120Classic Buffer Overflow26 documents10 sources
Severity
7.8HIGHNVD
EPSS
1.0%
top 23.15%
CISA KEV
KEV
Added 2023-09-11
Due 2023-10-02
Exploit
Exploited in wild
Active exploitation observed
Affected products
5
Apple IOS AND IpadosApple WatchosApple Ipados+2 more
Timeline
PublishedSep 7
KEV addedSep 11
KEV dueOct 2
Latest updateMar 11
CISA Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Description

A validation issue was addressed with improved logic. This issue is fixed in watchOS 9.6.2, iOS 16.6.1 and iPadOS 16.6.1. A maliciously crafted attachment may result in arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages7 packages

NVDapple/ipados< 16.6.1
CVEListV5apple/watchosunspecified9.6
NVDapple/watchos< 9.6.2
CVEListV5apple/ios_and_ipadosunspecified16.6
Appleapple/watchos9.6.2

🔴Vulnerability Details

4
Project0
Blasting Past Webp - Project Zero2025-03-01
GHSA
GHSA-h6m5-xj4q-9xw4: A validation issue was addressed with improved logic2023-09-07
VulnCheck
Apple iOS, iPadOS, and macOS ImageIO Buffer Overflow Vulnerability2023
VulnCheck
Apple iOS, iPadOS, and watchOS Wallet Code Execution Vulnerability2023

📋Vendor Advisories

4
CISA
Apple iOS, iPadOS, and macOS ImageIO Buffer Overflow Vulnerability2023-09-11
CISA
Apple iOS, iPadOS, and watchOS Wallet Code Execution Vulnerability2023-09-11
Apple
CVE-2023-41061: watchOS 9.6.22023-09-07
Apple
CVE-2023-41061: iOS 16.6.1 and iPadOS 16.6.12023-09-07

🕵️Threat Intelligence

17
Bleepingcomputer
Apple fixes WebKit zero-day exploited in &lsquo;extremely sophisticated&rsquo; attacks2025-03-11
Bleepingcomputer
Apple fixes zero-day exploited in &#039;extremely sophisticated&#039; attacks2025-02-10
Bleepingcomputer
Apple fixes this year&rsquo;s first actively exploited zero-day bug2025-01-27
Bleepingcomputer
Apple fixes two zero-days used in attacks on Intel-based Macs2024-11-19
Bleepingcomputer
Apple fixes first zero-day bug exploited in attacks this year2024-01-22