CVE-2023-42928

Vulnerability

A bounds check issue exists in iOS and iPadOS that can be exploited by a malicious application to gain elevated privileges. The flaw is present in versions prior to iOS 17.1 and iPadOS 17.1, affecting iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later [1].

Exploitation

An attacker would need to convince a user to install a crafted application on their device. Once installed and executed, the app can leverage the insufficient bounds checking to escalate its privileges beyond its intended sandbox restrictions [1]. No additional authentication or network access is required beyond the initial installation.

Impact

Successful exploitation allows the attacker's app to gain elevated privileges, which may enable access to private information stored on the device, such as contacts, messages, or credentials. The impact is limited to local privilege escalation and does not directly allow remote code execution [1].

Mitigation

Apple released the fix in iOS 17.1 and iPadOS 17.1 on October 25, 2023. Users should update their devices to the latest version via Settings > General > Software Update. No workarounds are available for unpatched versions [1].