← back
CVE-2023-41990

CVE-2023-41990

CVSS 7.8 HIGHEPSS 1.1%● KEV
In short

Processing a malicious font file can allow an attacker to run arbitrary code on your Apple device. This vulnerability affects iPhones, iPads, Macs, and Apple Watches, and Apple confirms it has been exploited in real attacks.

Technical detail

A memory corruption vulnerability in font processing allows remote code execution when a crafted font file is processed. The attack requires user interaction (opening a malicious font or content containing it) and impacts multiple Apple platforms. The fix involves improved cache handling to prevent unsafe memory access during font rendering.

Summary generated and translated by AI from the official description.
The issue was addressed with improved handling of caches. This issue is fixed in tvOS 16.3, iOS 16.3 and iPadOS 16.3, macOS Monterey 12.6.8, macOS Big Sur 11.7.9, iOS 15.7.8 and iPadOS 15.7.8, macOS Ventura 13.2, watchOS 9.3. Processing a font file may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.1.
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected products
Apple · iOS and iPadOSApple · macOSApple · tvOSApple · watchOS

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://support.apple.com/en-us/HT213599https://support.apple.com/en-us/HT213601https://support.apple.com/en-us/HT213605https://support.apple.com/en-us/HT213606https://support.apple.com/en-us/HT213842https://support.apple.com/en-us/HT213844https://support.apple.com/en-us/HT213845https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-41990