CVE-2023-32420

Vulnerability

CVE-2023-32420 is an out-of-bounds read vulnerability in the kernel of multiple Apple operating systems. The issue exists in iOS 16.5 and iPadOS 16.5, watchOS 9.5, tvOS 16.5, and macOS Ventura 13.4 [1][2][3][4]. It was addressed with improved input validation.

Exploitation

An attacker would need to have the ability to run a malicious app on the affected device. No additional privileges or user interaction beyond installing and running the app are required. The app can trigger the out-of-bounds read by sending crafted input to the kernel [1].

Impact

Successful exploitation could lead to unexpected system termination (denial of service) or reading kernel memory, which may expose sensitive information [1]. The impact combines denial of service with a potential information disclosure.

Mitigation

Apple fixed this issue in the following releases, all published on May 18, 2023: iOS 16.5 and iPadOS 16.5, watchOS 9.5, tvOS 16.5, and macOS Ventura 13.4 [1][2][3][4]. Users should update to the latest available versions. No workarounds are documented.