Cyber Resilience

CVE-2023-32439

HighCISA KEVActive ExploitationEUVD Exploited

Published: 23 June 2023

Published
23 June 2023
Modified
23 October 2025
KEV Added
23 June 2023
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0116 79.0th percentile
Risk Priority 38 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-32439 is a high-severity Type Confusion (CWE-843) vulnerability in Apple Ipados. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 21.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-18 (Mobile Code).

Deeper analysis

A type confusion vulnerability, tracked as CVE-2023-32439 and assigned CWE-843, was present in WebKit components used by Apple platforms. The flaw affected iOS 16.5 and earlier, iPadOS 16.5 and earlier, iOS 15.7.6 and earlier, iPadOS 15.7.6 and earlier, macOS Ventura 13.4 and earlier, and Safari 16.5 and earlier. It was resolved through improved type checks in the updates iOS 16.5.1, iPadOS 16.5.1, iOS 15.7.7, iPadOS 15.7.7, macOS Ventura 13.4.1, and Safari 16.5.1.

An unauthenticated remote attacker could exploit the issue by serving maliciously crafted web content that a victim processes in a vulnerable browser or app. Successful exploitation grants arbitrary code execution with the privileges of the affected process, corresponding to the CVSS 8.8 rating that reflects network attack vector, low complexity, and no required privileges.

Apple security advisories HT213811, HT213813, HT213814, and HT213816 state that users should install the listed updates to address the vulnerability. The same advisories note that Apple is aware of reports indicating the issue may have been actively exploited in the wild. The associated EPSS score has remained flat at 0.0116 with no material increase observed after disclosure.

EU & UK References

Vulnerability details

A type confusion issue was addressed with improved checks. This issue is fixed in iOS 16.5.1 and iPadOS 16.5.1, iOS 15.7.7 and iPadOS 15.7.7, macOS Ventura 13.4.1, Safari 16.5.1. Processing maliciously crafted web content may lead to arbitrary code execution.…

more

Apple is aware of a report that this issue may have been actively exploited.

CWE(s)
KEV Date Added
23 June 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apple
safari
≤ 16.5.1
apple
ipados
≤ 15.7.7 · 16.0 — 16.5.1
apple
iphone os
≤ 15.7.7 · 16.0 — 16.5.1
apple
macos
13.0 — 13.4.1
webkitgtk
webkitgtk\+
≤ 2.42.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of vendor patches that remediate the WebKit type-confusion flaw before malicious web content can be processed.

SC-18 Mobile Code partial match
prevent

Restricts or sandbox-executes mobile code (JavaScript, WebAssembly) delivered via web content, limiting exploitation of the type-confusion issue in WebKit.

preventdetect

Deploys malicious-code detection mechanisms that can block or alert on web-delivered payloads crafted to trigger the WebKit vulnerability.

References