CVE-2023-44216 — Observable Discrepancy in Apple Macos

CWE-203 — Observable Discrepancy4 documents4 sources

Severity

5.3MEDIUMNVD

EPSS

0.5%

top 34.22%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apple Macos Canonical Ubuntu Linux Google Android

Timeline

PublishedSep 27

Description

PVRIC (PowerVR Image Compression) on Imagination 2018 and later GPU devices offers software-transparent compression that enables cross-origin pixel-stealing attacks against feTurbulence and feBlend in the SVG Filter specification, aka a GPU.zip issue. For example, attackers can sometimes accurately determine text contained on a web page from one origin if they control a resource from a different origin.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:NExploitability: 1.6 | Impact: 3.6

Affected Packages2 packages

▶NVDapple/macos13.1

▶NVDgoogle/android13.0

Also affects: Ubuntu Linux 22.04

🔴Vulnerability Details

OSV

CVE-2023-44216: PVRIC (PowerVR Image Compression) on Imagination 2018 and later GPU devices offers software-transparent compression that enables cross-origin pixel-st↗2023-09-27

▶

GHSA

GHSA-fjqr-32v8-6gf9: PVRIC (PowerVR Image Compression) on Imagination 2018 and later GPU devices offers software-transparent compression that enables cross-origin pixel-st↗2023-09-27

▶

CVEList

CVE-2023-44216: PVRIC (PowerVR Image Compression) on Imagination 2018 and later GPU devices offers software-transparent compression that enables cross-origin pixel-st↗2023-09-26

▶