Cyber Resilience

CVE-2023-42916

MediumCISA KEVActive ExploitationEUVD Exploited

Published: 30 November 2023

Published
30 November 2023
Modified
23 October 2025
KEV Added
04 December 2023
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
EPSS Score 0.0005 16.1th percentile
Risk Priority 33 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-42916 is a medium-severity Out-of-bounds Read (CWE-125) vulnerability in Apple Ipados. Its CVSS base score is 6.5 (Medium).

Operationally, ranked at the 16.1th percentile by exploit likelihood (below the median); CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2023-42916 is an out-of-bounds read vulnerability (CWE-125) that affects web content processing in iOS, iPadOS, macOS Sonoma, and Safari. The flaw stems from insufficient input validation and was corrected in iOS 17.1.2, iPadOS 17.1.2, macOS Sonoma 14.1.2, and Safari 17.1.2. With a CVSS 3.1 score of 6.5, the issue permits remote disclosure of sensitive information when a user processes crafted web content.

An unauthenticated attacker can exploit the vulnerability by delivering malicious web content that triggers the out-of-bounds read, resulting in leakage of process memory without requiring elevated privileges. User interaction is necessary, typically in the form of visiting a hostile website or opening a malicious link.

Apple has released the listed updates to address the issue, and the referenced full-disclosure advisories document the availability of these patches along with the affected version ranges. The vendor also notes awareness of a report indicating that the vulnerability may have been exploited in the wild against iOS versions prior to 16.7.1. The current EPSS remains low at 0.0005 with no indicated upward trajectory.

EU & UK References

Vulnerability details

An out-of-bounds read was addressed with improved input validation. This issue is fixed in iOS 17.1.2 and iPadOS 17.1.2, macOS Sonoma 14.1.2, Safari 17.1.2. Processing web content may disclose sensitive information. Apple is aware of a report that this issue…

more

may have been exploited against versions of iOS before iOS 16.7.1.

CWE(s)
KEV Date Added
04 December 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apple
safari
≤ 17.1.2
apple
ipados
≤ 15.8.1 · 16.0 — 16.7.3 · 17.0 — 17.1.2
apple
iphone os
≤ 15.8.1 · 16.0 — 16.7.3 · 17.0 — 17.1.2
apple
macos
14.0 — 14.1.2
fedoraproject
fedora
38, 39
debian
debian linux
11.0, 12.0
webkitgtk
webkitgtk\+
≤ 2.42.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the root cause by enforcing improved input validation on untrusted web content before it is processed.

prevent

Requires timely application of vendor patches that remediate the out-of-bounds read in Safari/WebKit.

preventdetect

Provides malicious-code inspection and blocking for web-originating content that could trigger the vulnerability.

References