CVE-2023-28205
Published: 10 April 2023
Summary
CVE-2023-28205 is a high-severity Use After Free (CWE-416) vulnerability in Apple Ipados. Its CVSS base score is 8.8 (High).
Operationally, ranked at the 22.5th percentile by exploit likelihood (below the median); CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
A use-after-free vulnerability in Apple's WebKit engine, tracked as CVE-2023-28205, affects Safari, iOS, iPadOS, and macOS Ventura. The flaw stems from improper memory management when processing web content and was corrected in Safari 16.4.1, iOS 15.7.5 / iPadOS 15.7.5, iOS 16.4.1 / iPadOS 16.4.1, and macOS Ventura 13.3.1. It carries a CVSS 3.1 score of 8.8 and is also identified under CWE-416.
An unauthenticated remote attacker can trigger the issue by serving maliciously crafted web content that a victim visits, resulting in arbitrary code execution with the privileges of the browser process. No user privileges are required on the target system, though user interaction is needed to load the content. Apple has stated that the vulnerability may have been actively exploited in the wild at the time of disclosure.
Official Apple advisories direct users to install the listed security updates as the primary mitigation. The associated EPSS score rose sharply from a low baseline to a peak of 0.0256 on 22 April 2023 shortly after publication before receding, indicating a transient but measurable increase in observed exploitation interest following public disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-31913
Vulnerability details
A use after free issue was addressed with improved memory management. This issue is fixed in Safari 16.4.1, iOS 15.7.5 and iPadOS 15.7.5, iOS 16.4.1 and iPadOS 16.4.1, macOS Ventura 13.3.1. Processing maliciously crafted web content may lead to arbitrary…
more
code execution. Apple is aware of a report that this issue may have been actively exploited.
- CWE(s)
- KEV Date Added
- 10 April 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly implements memory protections that mitigate use-after-free flaws such as CVE-2023-28205 in WebKit.
Requires prompt application of vendor patches that remediate the actively exploited WebKit memory-management flaw.
Restricts execution of untrusted mobile code delivered via web content, limiting the attack vector used to trigger the vulnerability.