CVE-2023-28201

Vulnerability

This issue, present in macOS Ventura before 13.3, Safari before 16.4, iOS and iPadOS before 16.4, iOS and iPadOS before 15.7.4, and tvOS before 16.4, is a state management flaw in an unspecified component [1][2][3][4]. The vulnerability can be triggered when a remote user interacts with a maliciously crafted input, leading to memory corruption.

Exploitation

An attacker needs no local access; a remote user who visits a malicious website or opens a crafted file can trigger the flaw [1][2][3][4]. No authentication or special privileges are required. The exploit sequence involves delivering a crafted payload that exploits the improper state handling to corrupt memory.

Impact

Successful exploitation can lead to unexpected application termination or arbitrary code execution in the context of the affected process [1]. The impact includes potential denial of service (app termination) and arbitrary code execution, which could be leveraged for further compromise of the device.

Mitigation

Apple addressed the issue in macOS Ventura 13.3, Safari 16.4, iOS and iPadOS 16.4, iOS and iPadOS 15.7.4, and tvOS 16.4, all released on March 27, 2023 [1][2][3][4]. Users should update their devices to the latest available versions. No workarounds are disclosed, and the issue is not listed in CISA’s Known Exploited Vulnerabilities (KEV) at the time of writing.