Cyber Resilience

CVE-2023-32435

HighCISA KEVActive ExploitationEUVD Exploited

Published: 23 June 2023

Published
23 June 2023
Modified
23 October 2025
KEV Added
23 June 2023
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0042 62.1th percentile
Risk Priority 38 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-32435 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Apple Ipados. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 37.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

A memory corruption vulnerability exists in Apple's web content processing components due to insufficient state management. It affects macOS Ventura prior to version 13.3, Safari prior to 16.4, iOS and iPadOS prior to 16.4, and iOS and iPadOS prior to 15.7.7. The flaw is assigned CWE-787 and carries a CVSS 3.1 score of 8.8.

An unauthenticated remote attacker can exploit the issue by causing a victim to process malicious web content in an affected browser or operating system version, resulting in arbitrary code execution.

Apple security advisories for the listed updates state that the vulnerability is resolved by improved state management in macOS Ventura 13.3, Safari 16.4, iOS 16.4 and iPadOS 16.4, and iOS 15.7.7 and iPadOS 15.7.7.

Apple has reported that the issue may have been actively exploited in the wild against versions of iOS released before iOS 15.7. The current EPSS score stands at 0.0042.

EU & UK References

Vulnerability details

A memory corruption issue was addressed with improved state management. This issue is fixed in macOS Ventura 13.3, Safari 16.4, iOS 16.4 and iPadOS 16.4, iOS 15.7.7 and iPadOS 15.7.7. Processing web content may lead to arbitrary code execution. Apple…

more

is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.

CWE(s)
KEV Date Added
23 June 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apple
safari
≤ 16.4
apple
ipados
≤ 15.7.7 · 16.0 — 16.4
apple
iphone os
≤ 15.7.7 · 16.0 — 16.4
apple
macos
13.0 — 13.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of the vendor patches (macOS 13.3, iOS 16.4/15.7.7, Safari 16.4) that remediate the memory corruption flaw before exploitation occurs.

prevent

Enforces memory-protection mechanisms that block the out-of-bounds write (CWE-787) used to achieve arbitrary code execution when processing malicious web content.

preventdetect

Requires malicious-code detection and blocking capabilities in browsers or endpoint agents that can stop or alert on the delivery of the crafted web content that triggers the vulnerability.

References