⚠ Actively exploited
Added to CISA KEV on 2023-09-11. Federal agencies required to patch by 2023-10-02. Required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable..

CVE-2023-41064Classic Buffer Overflow in Apple IOS AND Ipados

CWE-120Classic Buffer Overflow37 documents13 sources
Severity
7.8HIGHNVD
EPSS
85.4%
top 0.63%
CISA KEV
KEV
Added 2023-09-11
Due 2023-10-02
Exploit
Exploited in wild
Active exploitation observed
Affected products
9
Apple IOS AND IpadosApple MacosApple Ipados+6 more
Timeline
PublishedSep 7
KEV addedSep 11
KEV dueOct 2
Latest updateMar 11
CISA Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Description

A buffer overflow issue was addressed with improved memory handling. This issue is fixed in iOS 16.6.1 and iPadOS 16.6.1, macOS Monterey 12.6.9, macOS Ventura 13.5.2, iOS 15.7.9 and iPadOS 15.7.9, macOS Big Sur 11.7.10. Processing a maliciously crafted image may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages10 packages

Appleapple/macos_ventura13.5.2
Appleapple/macos_monterey12.6.9
CVEListV5apple/macosunspecified12.6+2
NVDapple/macos11.011.7.10+2
Appleapple/macos_big_sur11.7.10

🔴Vulnerability Details

4
Project0
Blasting Past Webp - Project Zero2025-03-01
GHSA
GHSA-8c6q-gxj3-w77f: A buffer overflow issue was addressed with improved memory handling2023-09-07
VulnCheck
Apple iOS, iPadOS, and macOS ImageIO Buffer Overflow Vulnerability2023
VulnCheck
Apple iOS, iPadOS, and watchOS Wallet Code Execution Vulnerability2023

📋Vendor Advisories

7
CISA
Apple iOS, iPadOS, and macOS ImageIO Buffer Overflow Vulnerability2023-09-11
Apple
CVE-2023-41064: macOS Big Sur 11.7.102023-09-11
CISA
Apple iOS, iPadOS, and watchOS Wallet Code Execution Vulnerability2023-09-11
Apple
CVE-2023-41064: iOS 15.7.9 and iPadOS 15.7.92023-09-11
Apple
CVE-2023-41064: macOS Monterey 12.6.92023-09-11

🕵️Threat Intelligence

24
Bleepingcomputer
Apple fixes WebKit zero-day exploited in ‘extremely sophisticated’ attacks2025-03-11
Bleepingcomputer
Apple fixes zero-day exploited in 'extremely sophisticated' attacks2025-02-10
Bleepingcomputer
Apple fixes this year’s first actively exploited zero-day bug2025-01-27
Bleepingcomputer
Apple fixes two zero-days used in attacks on Intel-based Macs2024-11-19
Bleepingcomputer
Apple fixes first zero-day bug exploited in attacks this year2024-01-22

💬Community

1
Bugzilla
Out-of-bounds write in BuildHuffmanTable2023-09-12