cbcvebase.
CVE-2023-41064
published 2023-09-07

CVE-2023-41064: A buffer overflow issue was addressed with improved memory handling. This issue is fixed in iOS 16.6.1 and iPadOS 16.6.1, macOS Monterey 12.6.9, macOS Ventura…

PriorityP183high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2023-10-02
Exploited in the wild
EPSS
15.26%
96.4th percentile
A buffer overflow issue was addressed with improved memory handling. This issue is fixed in iOS 16.6.1 and iPadOS 16.6.1, macOS Monterey 12.6.9, macOS Ventura 13.5.2, iOS 15.7.9 and iPadOS 15.7.9, macOS Big Sur 11.7.10. Processing a maliciously crafted image may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Affected

17 ranges
VendorProductVersion rangeFixed in
appleios_15.7.9_and_ipados
appleios_16.6.1_and_ipados
appleios_and_ipados>= unspecified < 16.616.6
appleios_and_ipados>= unspecified < 15.715.7
appleipados< 15.7.915.7.9
appleipados>= 16.0 < 16.6.116.6.1
appleiphone_os< 15.7.915.7.9
appleiphone_os>= 16.0 < 16.6.116.6.1
applemacos>= 11.0 < 11.7.1011.7.10
applemacos>= 12.0 < 12.6.912.6.9
applemacos>= 13.0 < 13.5.213.5.2
applemacos>= unspecified < 12.612.6
applemacos>= unspecified < 11.711.7
applemacos>= unspecified < 13.513.5
applemacos_big_sur
applemacos_monterey
applemacos_ventura

Detection & IOCsextracted from sources · hover to see the quote

otherBLASTPASS
otherPassKit attachments containing malicious images via iMessage
  • Hunt for zero-click iMessage exploitation via PassKit (.pkpass) attachments containing malicious WebP/image payloads — no user interaction required
  • CVE-2023-41064 is chained with CVE-2023-41061 (Wallet validation issue); detections should look for both CVEs being triggered together as part of the BLASTPASS chain
  • The root cause is a heap buffer overflow in the libwebp/ImageIO image processing component; monitor for anomalous image processing activity (WebP files) in iMessage/ImageIO context on Apple devices
  • CVE-2023-41064 is believed to share the same underlying libwebp bug as CVE-2023-4863/CVE-2023-5129; detection of malicious WebP files (heap buffer overflow via Huffman coding in lossless compression) applies across Apple ImageIO and libwebp-dependent applications
  • Apple SEAR and Citizen Lab notified Google on September 6, 2023 about the libwebp flaw; use this date as a pivot point when threat hunting for exploitation activity in logs
  • ·Exploitation requires no victim interaction (zero-click); traditional user-behavior-based detections will not fire — passive network/forensic monitoring of iMessage traffic is required
  • ·CVE-2023-41064 affects multiple Apple OS versions (iOS/iPadOS 15 and 16, macOS Big Sur, Monterey, Ventura); patching scope must cover all listed platforms, not just the latest iOS
  • ·The underlying libwebp flaw (CVE-2023-4863) also affects a broad set of non-Apple applications (Chrome, Firefox, Signal, Telegram, Electron-based apps, 1Password, etc.); scope of exposure extends well beyond Apple ImageIO
  • ·CVE-2023-5129 was rejected by MITRE as a duplicate of CVE-2023-4863; use CVE-2023-4863 as the canonical identifier for the libwebp library-level vulnerability when tracking patch status across non-Apple products

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vulncheck7.8HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.