← back
CVE-2023-32439

CVE-2023-32439

CVSS 8.8 HIGHEPSS 23.8%● KEVCWE-843
In short

A type confusion vulnerability in Apple's WebKit engine allows attackers to execute arbitrary code by crafting malicious web content. This flaw affects iOS, iPadOS, macOS, and Safari, and has been actively exploited in the wild.

Technical detail

Type confusion vulnerability in WebKit's type checking mechanism (CWE-843) allows remote code execution through specially crafted web content without user interaction beyond visiting a malicious page. The vulnerability requires processing of attacker-controlled HTML/JavaScript but results in arbitrary code execution with the privileges of the affected application.

Summary generated and translated by AI from the official description.
A type confusion issue was addressed with improved checks. This issue is fixed in iOS 16.5.1 and iPadOS 16.5.1, iOS 15.7.7 and iPadOS 15.7.7, macOS Ventura 13.4.1, Safari 16.5.1. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected products
Apple · iOS and iPadOSApple · macOSApple · Safari

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://security.gentoo.org/glsa/202401-04https://support.apple.com/en-us/HT213811https://support.apple.com/en-us/HT213813https://support.apple.com/en-us/HT213814https://support.apple.com/en-us/HT213816https://support.apple.com/kb/HT213814https://support.apple.com/kb/HT213816https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-32439