CVE-2023-42916
Published: 30 November 2023
Summary
CVE-2023-42916 is a medium-severity Out-of-bounds Read (CWE-125) vulnerability in Apple Ipados. Its CVSS base score is 6.5 (Medium).
Operationally, ranked at the 16.1th percentile by exploit likelihood (below the median); CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2023-42916 is an out-of-bounds read vulnerability (CWE-125) that affects web content processing in iOS, iPadOS, macOS Sonoma, and Safari. The flaw stems from insufficient input validation and was corrected in iOS 17.1.2, iPadOS 17.1.2, macOS Sonoma 14.1.2, and Safari 17.1.2. With a CVSS 3.1 score of 6.5, the issue permits remote disclosure of sensitive information when a user processes crafted web content.
An unauthenticated attacker can exploit the vulnerability by delivering malicious web content that triggers the out-of-bounds read, resulting in leakage of process memory without requiring elevated privileges. User interaction is necessary, typically in the form of visiting a hostile website or opening a malicious link.
Apple has released the listed updates to address the issue, and the referenced full-disclosure advisories document the availability of these patches along with the affected version ranges. The vendor also notes awareness of a report indicating that the vulnerability may have been exploited in the wild against iOS versions prior to 16.7.1. The current EPSS remains low at 0.0005 with no indicated upward trajectory.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-47337
Vulnerability details
An out-of-bounds read was addressed with improved input validation. This issue is fixed in iOS 17.1.2 and iPadOS 17.1.2, macOS Sonoma 14.1.2, Safari 17.1.2. Processing web content may disclose sensitive information. Apple is aware of a report that this issue…
more
may have been exploited against versions of iOS before iOS 16.7.1.
- CWE(s)
- KEV Date Added
- 04 December 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the root cause by enforcing improved input validation on untrusted web content before it is processed.
Requires timely application of vendor patches that remediate the out-of-bounds read in Safari/WebKit.
Provides malicious-code inspection and blocking for web-originating content that could trigger the vulnerability.