CVE-2023-41974
Published: 10 January 2024
Summary
CVE-2023-41974 is a high-severity Use After Free (CWE-416) vulnerability in Apple Ipados. Its CVSS base score is 7.8 (High).
Operationally, ranked at the 44.4th percentile by exploit likelihood (below the median); CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
A use-after-free vulnerability, tracked as CVE-2023-41974 and assigned CWE-416, affects Apple's iOS and iPadOS platforms. The flaw stems from insufficient memory management and can be triggered by a malicious application to achieve arbitrary code execution with kernel-level privileges. It is resolved in iOS 17 and iPadOS 17 as well as iOS 15.8.7 and iPadOS 15.8.7.
An attacker who can persuade a user to run a crafted application on an affected device may exploit the issue without additional privileges beyond local access and user interaction. Successful exploitation grants the ability to run arbitrary code inside the kernel, potentially leading to full device compromise including escalation of privileges and bypass of sandbox restrictions.
Apple security advisories direct users to install the listed updates, which contain the improved memory-management fixes that address the use-after-free condition. The references also include analysis of iOS exploit tooling, indicating that similar memory-corruption primitives have appeared in observed attack chains. The current EPSS score remains low at 0.0022 with no reported material increase.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-46433
Vulnerability details
A use-after-free issue was addressed with improved memory management. This issue is fixed in iOS 17 and iPadOS 17, iOS 15.8.7 and iPadOS 15.8.7. An app may be able to execute arbitrary code with kernel privileges.
- CWE(s)
- KEV Date Added
- 05 March 2026
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires memory protection mechanisms that mitigate use-after-free flaws enabling kernel code execution.
Mandates timely application of patches that correct the memory-management defect in affected iOS releases.
Enforces process isolation boundaries that limit the impact of a user-space app reaching kernel privileges.