CVE-2023-32372

Vulnerability

An out-of-bounds read vulnerability exists in the image processing component of Apple operating systems. The issue is triggered when processing a specially crafted image. Affected versions include iOS and iPadOS prior to 16.5, watchOS prior to 9.5, tvOS prior to 16.5, and macOS Ventura prior to 13.4.

Exploitation

An attacker can exploit this vulnerability by delivering a malicious image to the target device. No special privileges are required; the image may be processed automatically by applications such as Messages, Mail, or a web browser. Minimal user interaction (e.g., viewing the image) is sufficient to trigger the out-of-bounds read.

Impact

Successful exploitation results in disclosure of process memory, potentially leaking sensitive information such as cryptographic keys, user data, or other confidential material. There is no indication of code execution or privilege escalation.

Mitigation

Apple addressed the issue with improved input validation in the following releases: iOS 16.5 and iPadOS 16.5 [2], watchOS 9.5 [4], tvOS 16.5 [3], and macOS Ventura 13.4 [1], all made available on May 18, 2023. No workarounds have been published. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.