CVE-2023-28205

CVSS 8.8 HIGHEPSS 27.1%● KEVCWE-416

In short

A use-after-free vulnerability in Safari and Apple devices allows attackers to execute arbitrary code by crafting malicious web content. This flaw was actively exploited in the wild, making it a critical threat.

Technical detail

CWE-416 use-after-free vulnerability in memory management affects Safari, iOS, and macOS. Attack vector is network-based via maliciously crafted web content; no user interaction beyond visiting a malicious page is required. Successful exploitation leads to arbitrary code execution with the privileges of the Safari process or any application using the vulnerable component.

Summary generated and translated by AI from the official description.

A use after free issue was addressed with improved memory management. This issue is fixed in Safari 16.4.1, iOS 15.7.5 and iPadOS 15.7.5, iOS 16.4.1 and iPadOS 16.4.1, macOS Ventura 13.3.1. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected products

Apple · iOS and iPadOS Apple · macOS Apple · Safari

public PoCs found — 2

githubgithub.com/ntfargo/uaf-2023-28205★ 18 githubgithub.com/seregonwar/uaf-2023-28205★ 8

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://support.apple.com/en-us/HT213720 https://support.apple.com/en-us/HT213721 https://support.apple.com/en-us/HT213722 https://support.apple.com/en-us/HT213723 https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-28205