CVE-2023-32373
Published: 23 June 2023
Summary
CVE-2023-32373 is a high-severity Use After Free (CWE-416) vulnerability in Redhat Enterprise Linux. Its CVSS base score is 8.8 (High).
Operationally, ranked at the 12.4th percentile by exploit likelihood (below the median); CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2023-32373 is a use-after-free vulnerability addressed through improved memory management in Apple's web content processing components. It affects watchOS 9.5, tvOS 16.5, macOS Ventura 13.4, iOS 15.7.6 and iPadOS 15.7.6, Safari 16.5, and iOS 16.5 and iPadOS 16.5.
An attacker can exploit the flaw by supplying maliciously crafted web content that a user processes in a vulnerable browser or system component, resulting in arbitrary code execution with high impact on confidentiality, integrity, and availability.
Apple security advisories HT213757, HT213758, HT213761, and HT213762 state that the issue is resolved in the listed updated releases and advise users to apply those patches. A related Gentoo Linux security advisory, GLSA-202401-04, provides distribution-specific update guidance.
Apple has stated it is aware of reports indicating the vulnerability may have been actively exploited in the wild. The current EPSS score remains low at 0.0004.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-36617
Vulnerability details
A use-after-free issue was addressed with improved memory management. This issue is fixed in watchOS 9.5, tvOS 16.5, macOS Ventura 13.4, iOS 15.7.6 and iPadOS 15.7.6, Safari 16.5, iOS 16.5 and iPadOS 16.5. Processing maliciously crafted web content may lead…
more
to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
- CWE(s)
- KEV Date Added
- 22 May 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces memory protections that prevent use-after-free conditions during web-content processing.
Requires timely application of vendor patches that correct the memory-management flaw in affected Apple components.
Restricts or sandbox-executes mobile code (web content) to reduce the attack surface for crafted inputs that trigger the flaw.