Cyber Resilience

CVE-2023-38606

MediumCISA KEVActive ExploitationEUVD Exploited

Published: 27 July 2023

Published
27 July 2023
Modified
31 October 2025
KEV Added
26 July 2023
Patch
CVSS Score v3.1 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
EPSS Score 0.0010 27.8th percentile
Risk Priority 31 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-38606 is a medium-severity an unspecified weakness vulnerability in Apple Macos. Its CVSS base score is 5.5 (Medium).

Operationally, ranked at the 27.8th percentile by exploit likelihood (below the median); CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

This vulnerability stems from insufficient state management in the kernel, allowing an app to modify sensitive kernel state. It affects a range of Apple platforms prior to the listed updates, including macOS Monterey 12.6.8, macOS Big Sur 11.7.9, macOS Ventura 13.5, iOS 15.7.8, iOS 16.6, iPadOS 15.7.8, iPadOS 16.6, tvOS 16.6, and watchOS 9.6. The issue carries a CVSS score of 5.5, reflecting local attack vector, low complexity, no required privileges, and required user interaction, with high impact on integrity but none on confidentiality or availability.

An attacker with the ability to run an app on an affected device can exploit the flaw to alter protected kernel state. Because the vector is local and user interaction is needed, the scenario typically involves convincing a target to install or execute a malicious application, after which the app can tamper with kernel data structures without elevated privileges.

Apple's security advisories for the referenced updates state that the issue was resolved through improved state management and recommend installing the patches for macOS Monterey 12.6.8 and later, iOS 16.6 and later, and the corresponding releases for other platforms. The company notes awareness of active exploitation against iOS versions before 15.7.1. The current EPSS score remains low at 0.0010 with no indicated rise.

EU & UK References

Vulnerability details

This issue was addressed with improved state management. This issue is fixed in macOS Monterey 12.6.8, iOS 15.7.8 and iPadOS 15.7.8, iOS 16.6 and iPadOS 16.6, tvOS 16.6, macOS Big Sur 11.7.9, macOS Ventura 13.5, watchOS 9.6. An app may…

more

be able to modify sensitive kernel state. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.1.

CWE(s)
KEV Date Added
26 July 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apple
ipados
≤ 15.7.8 · 16.0 — 16.6
apple
iphone os
≤ 15.7.8 · 16.0 — 16.6
apple
macos
11.0 — 11.7.9 · 12.0.0 — 12.6.8 · 13.0 — 13.5
apple
tvos
≤ 16.6
apple
watchos
≤ 9.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces that user-space apps cannot modify sensitive kernel state without explicit authorization, blocking the exact flaw exploited by CVE-2023-38606.

prevent

Ensures apps and processes operate with only the privileges needed, preventing the unauthorized kernel-state changes permitted by the state-management weakness.

prevent

Provides process isolation boundaries that limit an app's ability to reach or alter kernel memory and state, directly mitigating the local exploitation vector.

References