CVE-2023-41974
published 2024-01-10CVE-2023-41974: A use-after-free issue was addressed with improved memory management. This issue is fixed in iOS 17 and iPadOS 17, iOS 15.8.7 and iPadOS 15.8.7. An app may be…
PriorityP181high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2026-03-26
Exploited in the wild
EPSS
1.41%
69.3th percentile
A use-after-free issue was addressed with improved memory management. This issue is fixed in iOS 17 and iPadOS 17, iOS 15.8.7 and iPadOS 15.8.7. An app may be able to execute arbitrary code with kernel privileges.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | ios_15.8.7_and_ipados | — | — |
| apple | ios_17_and_ipados | — | — |
| apple | ios_and_ipados | >= unspecified < 17 | 17 |
| apple | ios_and_ipados | >= unspecified < 15.8.7 | 15.8.7 |
| apple | ipados | < 15.8.7 | 15.8.7 |
| apple | ipados | >= 16.0 < 17.0 | 17.0 |
| apple | iphone_os | < 15.8.7 | 15.8.7 |
| apple | iphone_os | >= 16.0 < 17.0 | 17.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2023-41974 is a Kernel use-after-free vulnerability exploited as part of the 'Coruna' exploit kit, used in chained zero-day attacks targeting iOS/iPadOS devices to escalate privileges to Kernel level. Detection should focus on anomalous apps attempting kernel-level code execution on unpatched iOS 15/16 devices. ↗
- →The Coruna exploit kit has been actively used by multiple threat groups since February 2025, including suspected Russian state-backed group UNC6353, a surveillance vendor customer, and financially motivated Chinese threat actor UNC6691. Detections should consider attribution context when triaging alerts. ↗
- →UNC6691 delivered the Coruna exploit kit via fake gambling and crypto websites to steal cryptocurrency wallets. Network defenders should monitor for iOS device traffic to suspicious gambling/crypto-themed domains, especially from older device models (iPhone 6s through iPhone X, iPad Air 2, iPad mini 4th gen, iPod touch 7th gen). ↗
- →CVE-2023-41974 is part of a multi-CVE exploit chain. Coruna chains it with WebKit bugs (CVE-2024-23222, CVE-2023-43000, CVE-2023-43010) to achieve remote code execution followed by kernel privilege escalation. Detection strategies should look for exploit chain patterns, not just individual CVE triggers. ↗
- →The vulnerability specifically affects the Kernel component on iOS/iPadOS. Prioritize patching or detection on devices running iOS/iPadOS versions prior to 17 (initial fix: September 18, 2023) and prior to 15.8.7/16.7.15 for older hardware that cannot upgrade to iOS 17. ↗
- ·The vulnerability is in the iOS/iPadOS Kernel component (use-after-free). It requires a malicious app to trigger, meaning the initial attack vector for the Coruna chain is typically a WebKit browser exploit delivering a malicious payload, which then calls into this kernel bug. Detections at the network layer alone are insufficient without endpoint visibility. ↗
- ·CISA's KEV remediation due date for FCEB agencies is 2026-03-26. Organizations should verify their MDM/device management inventory for unpatched iOS/iPadOS devices, particularly older models (iPhone 6s–X, iPad Air 2, iPad mini 4th gen, iPod touch 7th gen) which require the backported fix in iOS 15.8.7 or iPadOS 16.7.15. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vulncheck7.8HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-58c3-hjfx-2gmq: A use-after-free issue was addressed with improved memory management
ghsa_unreviewed·2024-01-11
CVE-2023-41974 [HIGH] CWE-416 GHSA-58c3-hjfx-2gmq: A use-after-free issue was addressed with improved memory management
A use-after-free issue was addressed with improved memory management. This issue is fixed in iOS 17 and iPadOS 17. An app may be able to execute arbitrary code with kernel privileges.
VulnCheck
Apple iOS and iPadOS Use-After-Free Vulnerability
vulncheck·2023·CVSS 7.8
CVE-2023-41974 [HIGH] CWE-416 Apple iOS and iPadOS Use-After-Free Vulnerability
Apple iOS and iPadOS Use-After-Free Vulnerability
Apple iOS and iPadOS contain a use-after-free vulnerability. An app may be able to execute arbitrary code with kernel privileges.
Affected: Apple iOS and iPadOS
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://cloud.google.com/blog/topics/threat-intelligence/coruna-powerful-ios-exploit-kit/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.nadsec.online/blog/coruna
Exploit PoC: https://vulncheck.com/xdb/5fc4f2b9f5cc
Remediation Due: 2026-03-26
Apple
CVE-2023-41974: iOS 15.8.7 and iPadOS 15.8.7
vendor_apple·2026-03-11·CVSS 7.8
CVE-2023-41974 [HIGH] CVE-2023-41974: iOS 15.8.7 and iPadOS 15.8.7
Apple Security Update: About the security content of iOS 15.8.7 and iPadOS 15.8.7
Product: iOS 15.8.7 and iPadOS
Version: 15.8.7
CVE: CVE-2023-41974
Component: Kernel
Impact: An app may be able to execute arbitrary code with kernel privileges. This fix associated with the Coruna exploit was shipped in iOS 17 on September 18, 2023. This update brings that fix to devices that cannot update to the latest iOS version.
Description: A use-after-free issue was addressed with improved memory management.
CISA
Apple iOS and iPadOS Use-After-Free Vulnerability
cisa·2026-03-05·CVSS 7.8
CVE-2023-41974 [HIGH] CWE-416 Apple iOS and iPadOS Use-After-Free Vulnerability
Vulnerability: Apple iOS and iPadOS Use-After-Free Vulnerability
Affected: Apple iOS and iPadOS
Apple iOS and iPadOS contain a use-after-free vulnerability. An app may be able to execute arbitrary code with kernel privileges.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://support.apple.com/en-us/HT213938 ; https://support.apple.com/kb/HT213938 ; https://nvd.nist.gov/vuln/detail/CVE-2023-41974
Remediation Due Date: 2026-03-26
Apple
CVE-2023-41974: iOS 17 and iPadOS 17
vendor_apple·2023-09-18·CVSS 7.8
CVE-2023-41974 [HIGH] CVE-2023-41974: iOS 17 and iPadOS 17
Apple Security Update: About the security content of iOS 17 and iPadOS 17
Product: iOS 17 and iPadOS
Version: 17
CVE: CVE-2023-41974
Component: Kernel
Impact: An app may be able to execute arbitrary code with kernel privileges
Description: A use-after-free issue was addressed with improved memory management.
No detection rules found.
No public exploits indexed.
https://support.apple.com/en-us/120949https://support.apple.com/en-us/126632https://support.apple.com/en-us/HT213938https://support.apple.com/kb/HT213938https://cloud.google.com/blog/topics/threat-intelligence/coruna-powerful-ios-exploit-kithttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-41974
2024-01-10
Published
2026-03-05
Added to CISA KEV
Exploited in the wild