← back
CVE-2023-28206

CVE-2023-28206

CVSS 8.6 HIGHEPSS 24.5%● KEVCWE-787
In short

A flaw in Apple systems allowed apps to write data beyond intended memory boundaries, potentially letting them run malicious code with the highest system privileges. This was actively being exploited in the wild.

Technical detail

An out-of-bounds write vulnerability in macOS and iOS (CWE-787) permitted local code execution with kernel-level privileges when an app bypassed input validation. The vulnerability affected multiple OS versions and was documented as under active exploitation; remediation required patching across Big Sur, Monterey, Ventura, and iOS 15–16 lineups.

Summary generated and translated by AI from the official description.
An out-of-bounds write issue was addressed with improved input validation. This issue is fixed in macOS Monterey 12.6.5, iOS 16.4.1 and iPadOS 16.4.1, macOS Ventura 13.3.1, iOS 15.7.5 and iPadOS 15.7.5, macOS Big Sur 11.7.6. An app may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected products
Apple · iOS and iPadOSApple · macOS
public PoCs found1
githubgithub.com/acceleratortroll/acceleratortroll8
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://support.apple.com/en-us/HT213720https://support.apple.com/en-us/HT213721https://support.apple.com/en-us/HT213723https://support.apple.com/en-us/HT213724https://support.apple.com/en-us/HT213725https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-28206