VYPR
← All advisories
Unrated severityNVD Advisory· Published Nov 17, 2008· Updated Apr 23, 2026

CVE-2008-3623

CVE-2008-3623

Description

Heap-based buffer overflow in CoreGraphics in Apple Safari before 3.2 on Windows, in iPhone OS 1.0 through 2.2.1, and in iPhone OS for iPod touch 1.1 through 2.2.1 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted image, related to improper handling of color spaces.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Heap-based buffer overflow in CoreGraphics allows remote code execution via a crafted image with improper color space handling.

Vulnerability

A heap-based buffer overflow exists in CoreGraphics, affecting Apple Safari before version 3.2 on Windows, iPhone OS versions 1.0 through 2.2.1, and iPod touch versions 1.1 through 2.2.1 [1][2][3]. The vulnerability is triggered by a crafted image file that exploits improper handling of color spaces, leading to memory corruption.

Exploitation

An attacker can exploit this vulnerability by enticing a user to view a specially crafted image, either through a web page in Safari or via other means that render the image using CoreGraphics. No authentication is required; the attacker only needs to deliver the malicious image to the target system.

Impact

Successful exploitation allows remote attackers to execute arbitrary code with the privileges of the affected application, or cause a denial of service (application crash) [4]. This could lead to full system compromise on affected platforms.

Mitigation

Apple addressed this vulnerability in Safari 3.2 for Windows [3], iOS 3.0 for iPhone and iPod touch [1], and Security Update 2008-008 / Mac OS X v10.5.6 [2][4]. Users should update to the latest available versions. No workarounds are documented.

References
  1. About the security content of iOS 3.0 Software Update - Apple Support
  2. About the security content of Security Update 2008-008 / Mac OS X v10.5.6 - Apple Support
  3. About the security content of Safari 3.2 - Apple Support
  4. Apple Updates for Multiple Vulnerabilities | CISA

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

46
  • Apple Inc./Safari44 versions
    cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*+ 43 more
    • cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*range: <=3.1.2
    • cpe:2.3:a:apple:safari:0.8:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:0.9:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:1.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:1.0:beta:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:1.0:beta2:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:1.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:1.2:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:1.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:1.2.2:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:1.2.3:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:1.2.4:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:1.2.5:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:1.3:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:1.3.1:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:1.3.2:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:2:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:2.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:2.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:2.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:2.0.3_417.9.3:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:2.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:2.0.4_419.3:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:2.0_pre:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.0.1:*:windows:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.0.2:*:windows:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.0.3:522.15.5:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.0.3:*:windows:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.0.4_beta:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.0.4_beta:*:windows:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.0:*:windows:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.1:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:*:*:windows:*:*:*:*:*
    • (no CPE)range: <3.2 (Windows)
  • Apple Inc./iPhone OS for iPod touchllm-create
    Range: 1.1 through 2.2.1
  • Apple Inc./Iphone Osllm-fuzzy
    Range: 1.0 through 2.2.1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

13

News mentions

0

No linked articles in our index yet.