CVE-2023-42873

Vulnerability

The vulnerability is a memory corruption issue in the CoreAnimation component across multiple Apple platforms. It is addressed with improved bounds checks. Affected versions include macOS Sonoma before 14.1, macOS Ventura before 13.6.1, macOS Monterey before 12.7.1, iOS and iPadOS before 17.1, iOS and iPadOS before 16.7.2, and tvOS before 17.1 [1][2][3][4].

Exploitation

To exploit this issue, an attacker must have an app running on the device. No special network position or authentication level beyond app execution is required per the available references. The exact exploitation steps are not publicly detailed, but the flaw allows an app to trigger the memory corruption during parsing or processing of crafted data [1].

Impact

Successful exploitation could allow the app to execute arbitrary code with kernel privileges, leading to full system compromise. Depending on the affected version, other impacts such as access to private information or denial-of-service are also possible [1][2][3][4].

Mitigation

Apple has released fixes in macOS Sonoma 14.1, macOS Ventura 13.6.1, macOS Monterey 12.7.1, iOS 17.1 and iPadOS 17.1, iOS 16.7.2 and iPadOS 16.7.2, and tvOS 17.1, all dated October 25, 2023 [1][2][3][4]. Users should update their devices to the patched versions. No workarounds are provided by Apple.