CVE-2023-41990
CVE-2023-41990
Vexday Risk Score
51Attention
SSVC decision (CISA)
Act
Exploitation + impact → act immediately
CVSS 7.8EPSS 1.1%KEV simPoC —Nuclei —Metasploit —Patch —
Lifecycle
11 Sep 2023Published on NVD
08 Jan 2024Active exploitation (CISA KEV)
Recommendation: Patch as soon as possible — active exploitation confirmed.
In short
Processing a malicious font file can allow an attacker to run arbitrary code on your Apple device. This vulnerability affects iPhones, iPads, Macs, and Apple Watches, and Apple confirms it has been exploited in real attacks.
Technical detail
A memory corruption vulnerability in font processing allows remote code execution when a crafted font file is processed. The attack requires user interaction (opening a malicious font or content containing it) and impacts multiple Apple platforms. The fix involves improved cache handling to prevent unsafe memory access during font rendering.
Summary generated and translated by AI from the official description.
The issue was addressed with improved handling of caches. This issue is fixed in tvOS 16.3, iOS 16.3 and iPadOS 16.3, macOS Monterey 12.6.8, macOS Big Sur 11.7.9, iOS 15.7.8 and iPadOS 15.7.8, macOS Ventura 13.2, watchOS 9.3. Processing a font file may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.1.
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://support.apple.com/en-us/HT213599https://support.apple.com/en-us/HT213601https://support.apple.com/en-us/HT213605https://support.apple.com/en-us/HT213606https://support.apple.com/en-us/HT213842https://support.apple.com/en-us/HT213844https://support.apple.com/en-us/HT213845https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-41990