Cyber Resilience

CVE-2023-28205

HighCISA KEVActive ExploitationEUVD Exploited

Published: 10 April 2023

Published
10 April 2023
Modified
23 October 2025
KEV Added
10 April 2023
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0007 22.5th percentile
Risk Priority 38 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-28205 is a high-severity Use After Free (CWE-416) vulnerability in Apple Ipados. Its CVSS base score is 8.8 (High).

Operationally, ranked at the 22.5th percentile by exploit likelihood (below the median); CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

A use-after-free vulnerability in Apple's WebKit engine, tracked as CVE-2023-28205, affects Safari, iOS, iPadOS, and macOS Ventura. The flaw stems from improper memory management when processing web content and was corrected in Safari 16.4.1, iOS 15.7.5 / iPadOS 15.7.5, iOS 16.4.1 / iPadOS 16.4.1, and macOS Ventura 13.3.1. It carries a CVSS 3.1 score of 8.8 and is also identified under CWE-416.

An unauthenticated remote attacker can trigger the issue by serving maliciously crafted web content that a victim visits, resulting in arbitrary code execution with the privileges of the browser process. No user privileges are required on the target system, though user interaction is needed to load the content. Apple has stated that the vulnerability may have been actively exploited in the wild at the time of disclosure.

Official Apple advisories direct users to install the listed security updates as the primary mitigation. The associated EPSS score rose sharply from a low baseline to a peak of 0.0256 on 22 April 2023 shortly after publication before receding, indicating a transient but measurable increase in observed exploitation interest following public disclosure.

EU & UK References

Vulnerability details

A use after free issue was addressed with improved memory management. This issue is fixed in Safari 16.4.1, iOS 15.7.5 and iPadOS 15.7.5, iOS 16.4.1 and iPadOS 16.4.1, macOS Ventura 13.3.1. Processing maliciously crafted web content may lead to arbitrary…

more

code execution. Apple is aware of a report that this issue may have been actively exploited.

CWE(s)
KEV Date Added
10 April 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apple
safari
≤ 16.4.1
apple
ipados
≤ 15.7.5 · 16.0 — 16.4.1
apple
iphone os
≤ 15.7.5 · 16.0 — 16.4.1
apple
macos
≤ 13.3.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly implements memory protections that mitigate use-after-free flaws such as CVE-2023-28205 in WebKit.

prevent

Requires prompt application of vendor patches that remediate the actively exploited WebKit memory-management flaw.

SC-18 Mobile Code partial match
prevent

Restricts execution of untrusted mobile code delivered via web content, limiting the attack vector used to trigger the vulnerability.

References