cbcvebase.
CVE-2023-41974
published 2024-01-10

CVE-2023-41974: A use-after-free issue was addressed with improved memory management. This issue is fixed in iOS 17 and iPadOS 17, iOS 15.8.7 and iPadOS 15.8.7. An app may be…

PriorityP181high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2026-03-26
Exploited in the wild
EPSS
1.41%
69.3th percentile
A use-after-free issue was addressed with improved memory management. This issue is fixed in iOS 17 and iPadOS 17, iOS 15.8.7 and iPadOS 15.8.7. An app may be able to execute arbitrary code with kernel privileges.

Affected

8 ranges
VendorProductVersion rangeFixed in
appleios_15.8.7_and_ipados
appleios_17_and_ipados
appleios_and_ipados>= unspecified < 1717
appleios_and_ipados>= unspecified < 15.8.715.8.7
appleipados< 15.8.715.8.7
appleipados>= 16.0 < 17.017.0
appleiphone_os< 15.8.715.8.7
appleiphone_os>= 16.0 < 17.017.0

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2023-41974 is a Kernel use-after-free vulnerability exploited as part of the 'Coruna' exploit kit, used in chained zero-day attacks targeting iOS/iPadOS devices to escalate privileges to Kernel level. Detection should focus on anomalous apps attempting kernel-level code execution on unpatched iOS 15/16 devices.
  • The Coruna exploit kit has been actively used by multiple threat groups since February 2025, including suspected Russian state-backed group UNC6353, a surveillance vendor customer, and financially motivated Chinese threat actor UNC6691. Detections should consider attribution context when triaging alerts.
  • UNC6691 delivered the Coruna exploit kit via fake gambling and crypto websites to steal cryptocurrency wallets. Network defenders should monitor for iOS device traffic to suspicious gambling/crypto-themed domains, especially from older device models (iPhone 6s through iPhone X, iPad Air 2, iPad mini 4th gen, iPod touch 7th gen).
  • CVE-2023-41974 is part of a multi-CVE exploit chain. Coruna chains it with WebKit bugs (CVE-2024-23222, CVE-2023-43000, CVE-2023-43010) to achieve remote code execution followed by kernel privilege escalation. Detection strategies should look for exploit chain patterns, not just individual CVE triggers.
  • The vulnerability specifically affects the Kernel component on iOS/iPadOS. Prioritize patching or detection on devices running iOS/iPadOS versions prior to 17 (initial fix: September 18, 2023) and prior to 15.8.7/16.7.15 for older hardware that cannot upgrade to iOS 17.
  • ·The vulnerability is in the iOS/iPadOS Kernel component (use-after-free). It requires a malicious app to trigger, meaning the initial attack vector for the Coruna chain is typically a WebKit browser exploit delivering a malicious payload, which then calls into this kernel bug. Detections at the network layer alone are insufficient without endpoint visibility.
  • ·CISA's KEV remediation due date for FCEB agencies is 2026-03-26. Organizations should verify their MDM/device management inventory for unpatched iOS/iPadOS devices, particularly older models (iPhone 6s–X, iPad Air 2, iPad mini 4th gen, iPod touch 7th gen) which require the backported fix in iOS 15.8.7 or iPadOS 16.7.15.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vulncheck7.8HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.