Cyber Resilience

CVE-2023-42917

HighCISA KEVActive ExploitationEUVD Exploited

Published: 30 November 2023

Published
30 November 2023
Modified
23 October 2025
KEV Added
04 December 2023
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0009 25.4th percentile
Risk Priority 38 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-42917 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Apple Ipados. Its CVSS base score is 8.8 (High).

Operationally, ranked at the 25.4th percentile by exploit likelihood (below the median); CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

A memory corruption vulnerability addressed through improved locking affects the web content processing component in Apple's platforms. It impacts iOS and iPadOS prior to version 17.1.2, macOS Sonoma prior to 14.1.2, and Safari prior to 17.1.2. The flaw carries a CVSS score of 8.8 and is categorized under CWE-787, with successful exploitation resulting in arbitrary code execution when malicious web content is processed.

An attacker can trigger the issue remotely by serving specially crafted web content that a user visits in Safari or another affected browser. No authentication is required, though user interaction is needed to load the page, after which the attacker can achieve full code execution with the privileges of the browser process.

Apple's security updates for the listed versions resolve the issue, and full disclosure advisories published in December 2023 detail the affected builds and fixed releases. The vendor has stated that the vulnerability may have been exploited in the wild against iOS versions before 16.7.1. The current EPSS score remains low at 0.0009 with no indicated upward movement.

EU & UK References

Vulnerability details

A memory corruption vulnerability was addressed with improved locking. This issue is fixed in iOS 17.1.2 and iPadOS 17.1.2, macOS Sonoma 14.1.2, Safari 17.1.2. Processing web content may lead to arbitrary code execution. Apple is aware of a report that…

more

this issue may have been exploited against versions of iOS before iOS 16.7.1.

CWE(s)
KEV Date Added
04 December 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apple
safari
≤ 17.1.2
apple
ipados
≤ 15.8.1 · 16.0 — 16.7.3 · 17.0 — 17.1.2
apple
iphone os
≤ 15.8.1 · 16.0 — 16.7.3 · 17.0 — 17.1.2
apple
macos
14.0 — 14.1.2
debian
debian linux
11.0, 12.0
fedoraproject
fedora
38, 39
webkitgtk
webkitgtk\+
≤ 2.42.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires applying the vendor patches that correct the locking deficiency in WebKit before malicious web content can trigger the out-of-bounds write.

prevent

Enforces memory-protection mechanisms that mitigate exploitation of the out-of-bounds write (CWE-787) that leads to arbitrary code execution.

SC-18 Mobile Code partial match
prevent

Restricts or inspects mobile code (JavaScript, etc.) delivered as web content, limiting the attack vector used to reach the vulnerable WebKit component.

References