Released May 18, 2023
Accessibility
Available for: iPhone8 and newer, iPadPro (all models), iPadAir (3rd generation and newer), iPad (5th generation and newer) and iPadmini (5th generation and newer)
Impact: An app may be able to bypass privacy settings
Description: A privacy issue was addressed with improved blurring of private data in log entries.
CVE-2023-32388: Done (@Pwnrin)
Accessibility
Available for: iPhone8 and newer, iPadPro (all models), iPadAir (3rd generation and newer), iPad (5th generation and newer) and iPadmini (5th generation and newer)
Impact: Permissions and privacy privileges granted to this app may be used by a malicious app
Description: This issue was addressed through improved checks.
CVE-2023-32400: Mickey Jin (@patch1t)
AppleMobileFileIntegrity
Available for: iPhone8 and newer, iPadPro (all models), iPadAir (3rd generation and newer), iPad (5th generation and newer) and iPadmini (5th generation and newer)
Impact: An app may be able to bypass privacy settings
Description: This issue was addressed with improved permissions.
CVE-2023-32411: Mickey Jin (@patch1t)
Associated Domains
Available for: iPhone8 and newer, iPadPro (all models), iPadAir (3rd generation and newer), iPad (5th generation and newer) and iPadmini (5th generation and newer)
Impact: An app may be able to bypass the sandbox
Description: The issue was addressed through improved checks.
CVE-2023-32371: James Duffy (mangoSecure)
Cellular
Available for: iPhone8 and iPhoneX
Impact: A remote attacker may cause arbitrary code execution
Description: The issue was addressed through improved bounds checking.
CVE-2023-32419: Amat Cama von Vigilant Labs
CoreLocation
Available for: iPhone8 and newer, iPadPro (all models), iPadAir (3rd generation and newer), iPad (5th generation and newer) and iPadmini (5th generation and newer)
Impact: An app may be able to read sensitive location data
Description: The issue was addressed through improved handling of caches.
CVE-2023-32399: An anonymous researcher
CoreServices
Available for: iPhone8 and newer, iPadPro (all models), iPadAir (3rd generation and newer), iPad (5th generation and newer) and iPadmini (5th generation and newer)
Impact: An app may be able to bypass privacy settings
Description: This issue was addressed through improved confidential information blurring.
CVE-2023-28191: Mickey Jin (@patch1t)
GeoServices
Available for: iPhone8 and newer, iPadPro (all models), iPadAir (3rd generation and newer), iPad (5th generation and newer) and iPadmini (5th generation and newer)
Impact: An app may be able to read sensitive location data
Description: A privacy issue was addressed with improved blurring of private data in log entries.
CVE-2023-32392: An anonymous researcher
ImageIO
Available for: iPhone8 and newer, iPadPro (all models), iPadAir (3rd generation and newer), iPad (5th generation and newer) and iPadmini (5th generation and newer)
Impact: Processing an image file may lead to disclosure of process memory
Description: An issue that could cause data to be read outside of the allocated range was addressed with improved input validation.
CVE-2023-32372: Meysam Firouzi of the @R00tkitSMM Mbition Mercedes-Benz Innovation Lab in collaboration with Trend Micro's Zero Day Initiative
ImageIO
Available for: iPhone8 and newer, iPadPro (all models), iPadAir (3rd generation and newer), iPad (5th generation and newer) and iPadmini (5th generation and newer)
Impact: Processing an image file may lead to arbitrary code execution
Description: A buffer overflow issue was addressed through improved bounds checking.
CVE-2023-32384: Meysam Firouzi @R00tkitsmm working with Trend Micro's Zero Day Initiative
IOSurfaceAccelerator
Available for: iPhone8 and newer, iPadPro (all models), iPadAir (3rd generation and newer), iPad (5th generation and newer) and iPadmini (5th generation and newer)
Impact: Kernel memory may be exposed by an app
Description: An issue that could cause data to be read outside of the allocated range was addressed with improved input validation.
CVE-2023-32354: Linus Henze from Pinauten GmbH (pinauten.de)
IOSurfaceAccelerator
Available for: iPhone8 and newer, iPadPro (all models), iPadAir (3rd generation and newer), iPad (5th generation and newer) and iPadmini (5th generation and newer)
Impact: An app may cause an unexpected system termination or read kernel memory
Description: An issue that could cause data to be read outside of the allocated range was addressed with improved input validation.
CVE-2023-32420: Linus Henze from Pinauten GmbH (pinauten.de)
Kernel
Available for: iPhone8 and newer, iPadPro (all models), iPadAir (3rd generation and newer), iPad (5th generation and newer) and iPadmini (5th generation and newer)
Impact: An app may be able to run arbitrary code with kernel privileges
Description: A type confusion issue was addressed with improved checks.
CVE-2023-27930: 08Tc3wBB from Jamf
Kernel
Available for: iPhone8 and newer, iPadPro (all models), iPadAir (3rd generation and newer), iPad (5th generation and newer) and iPadmini (5th generation and newer)
Impact: An app may be able to run arbitrary code with kernel privileges
Description: A use-after-free issue was addressed through improved memory management.
CVE-2023-32398: Adam Doupé from ASU SEFCOM
Kernel
Available for: iPhone8 and newer, iPadPro (all models), iPadAir (3rd generation and newer), iPad (5th generation and newer) and iPadmini (5th generation and newer)
Impact: An app may be able to gain root privileges
Description: A race condition issue was addressed through improved status handling.
CVE-2023-32413: Eloi Benoist-Vanderbeken (@elvanderb) of Synacktiv (@Synacktiv) in collaboration with Trend Micro's Zero Day Initiative
LaunchServices
Available for: iPhone8 and newer, iPadPro (all models), iPadAir (3rd generation and newer), iPad (5th generation and newer) and iPadmini (5th generation and newer)
Impact: An app may bypass gatekeeper checks
Description: A logic issue was addressed with improved exams.
CVE-2023-32352: Wojciech Regula (@_r3ggi) von SecuRing (wojciechregula.blog)
Metal
Available for: iPhone8 and newer, iPadPro (all models), iPadAir (3rd generation and newer), iPad (5th generation and newer) and iPadmini (5th generation and newer)
Impact: An app may be able to bypass privacy settings
Description: A logic issue was addressed with improved state management.
CVE-2023-32407: Gergely Kalman (@gergely_kalman)
ModelI/O
Available for: iPhone8 and newer, iPadPro (all models), iPadAir (3rd generation and newer), iPad (5th generation and newer) and iPadmini (5th generation and newer)
Impact: Processing a 3D model may lead to disclosure of process memory
Description: An issue that could cause data to be read outside of the allocated range was addressed with improved input validation.
CVE-2023-32368: Mickey Jin (@patch1t)
NetworkExtension
Available for: iPhone8 and newer, iPadPro (all models), iPadAir (3rd generation and newer), iPad (5th generation and newer) and iPadmini (5th generation and newer)
Impact: An app may be able to read sensitive location data
Description: This issue was addressed through improved confidential information blurring.
CVE-2023-32403: An anonymous researcher
PDFKit
Available for: iPhone8 and newer, iPadPro (all models), iPadAir (3rd generation and newer), iPad (5th generation and newer) and iPadmini (5th generation and newer)
Impact: Opening a PDF file may lead to an unexpected app termination
Description: A denial of service issue was addressed through improved memory management.
CVE-2023-32385: Jonathan Fritz
Photos
Available for: iPhone8 and newer, iPadPro (all models), iPadAir (3rd generation and newer), iPad (5th generation and newer) and iPadmini (5th generation and newer)
Impact: Shake to revoke may reappear a deleted photo without authentication
Description: The issue was addressed through improved checks.
CVE-2023-32365: Jiwon Park
Photos
Available for: iPhone8 and newer, iPadPro (all models), iPadAir (3rd generation and newer), iPad (5th generation and newer) and iPadmini (5th generation and newer)
Impact: Photos in the Hidden Photos album could be viewed via visual search without authorization
Description: The issue was addressed through improved checks.
CVE-2023-32390: Julian Szulc
Sandbox
Available for: iPhone8 and newer, iPadPro (all models), iPadAir (3rd generation and newer), iPad (5th generation and newer) and iPadmini (5th generation and newer)
Impact: An app may gain access to system configuration files even after permissions have been revoked
Description: An authorization issue was addressed through improved state management.
CVE-2023-32357: YILMAZ (@yilmazcanyigit), Koh M. Nakagawa of FFRI Security, Inc., Kirin (@Pwnrin), Jeff Johnson (underpassapp.com) and Csaba Fitzl (@theevilbit) of Offensive Security can be hacked
Security
Available for: iPhone8 and newer, iPadPro (all models), iPadAir (3rd generation and newer), iPad (5th generation and newer) and iPadmini (5th generation and newer)
Impact: An app may be able to access sensitive user data
Description: This issue was addressed with improved permissions.
CVE-2023-32367: James Duffy (mangoSecure)
Shortcuts
Available for: iPhone8 and newer, iPadPro (all models), iPadAir (3rd generation and newer), iPad (5th generation and newer) and iPadmini (5th generation and newer)
Impact: A shortcut may use sensitive data for certain actions without prompting the user
Description: The issue was addressed through improved checks.
CVE-2023-32391: Wenchao Li und Xiaolong Bai von der Alibaba Group
Shortcuts
Available for: iPhone8 and newer, iPadPro (all models), iPadAir (3rd generation and newer), iPad (5th generation and newer) and iPadmini (5th generation and newer)
Impact: An app may be able to bypass privacy settings
Description: This issue was addressed with improved permissions.
CVE-2023-32404: Mickey Jin (@patch1t), Zhipeng Huo (@R3dF09) from Tencent Security Xuanwu Lab (xlab.tencent.com) and an anonymous researcher
Siri
Available for: iPhone8 and newer, iPadPro (all models), iPadAir (3rd generation and newer), iPad (5th generation and newer) and iPadmini (5th generation and newer)
Impact: A user with physical access to a device may be able to see contact information on the lock screen
Description: The issue was addressed through improved checks.
CVE-2023-32394: Khiem Tran
SQLite
Available for: iPhone8 and newer, iPadPro (all models), iPadAir (3rd generation and newer), iPad (5th generation and newer) and iPadmini (5th generation and newer)
Impact: An application may be able to access data from other applications by enabling additional SQLite logging
Description: The issue was addressed by adding additional SQLite logging restrictions.
CVE-2023-32422: Gergely Kalman (@gergely_kalman)
StorageKit
Available for: iPhone8 and newer, iPadPro (all models), iPadAir (3rd generation and newer), iPad (5th generation and newer) and iPadmini (5th generation and newer)
Impact: An app may be able to modify protected areas of the file system
Description: This issue was addressed with improved permissions.
CVE-2023-32376: Yigit Can YILMAZ (@yilmazcanyigit)
System Settings
Available for: iPhone8 and newer, iPadPro (all models), iPadAir (3rd generation and newer), iPad (5th generation and newer) and iPadmini (5th generation and newer)
Impact: An app firewall setting may be ineffective after the settings app exits
Description: This issue was addressed through improved state management.
CVE-2023-28202: Satish Panduranga and an anonymous researcher
Telephony
Available for: iPhone8 and newer, iPadPro (all models), iPadAir (3rd generation and newer), iPad (5th generation and newer) and iPadmini (5th generation and newer)
Impact: Remote attackers may cause unexpected app termination or arbitrary code execution
Description: A use-after-free issue was addressed through improved memory management.
CVE-2023-32412: Ivan Fratric of GoogleProjectZero
TV App
Available for: iPhone8 and newer, iPadPro (all models), iPadAir (3rd generation and newer), iPad (5th generation and newer) and iPadmini (5th generation and newer)
Impact: An app may be able to read sensitive location data
Description: The issue was addressed through improved handling of caches.
CVE-2023-32408: An anonymous researcher
Weather
Available for: iPhone8 and newer, iPadPro (all models), iPadAir (3rd generation and newer), iPad (5th generation and newer) and iPadmini (5th generation and newer)
Impact: An app may be able to read sensitive location data
Description: This issue was addressed through improved confidential information blurring.
CVE-2023-32415: Wojciech Reguła from SecuRing (wojciechregula.blog) and an anonymous researcher
WebKit
Available for: iPhone8 and newer, iPadPro (all models), iPadAir (3rd generation and newer), iPad (5th generation and newer) and iPadmini (5th generation and newer)
Impact: Processing web content may disclose sensitive information
Description: An issue that could cause data to be read outside of the allocated range was addressed with improved input validation.
WebKit Bugz: 255075
CVE-2023-32402: An anonymous researcher
WebKit
Available for: iPhone8 and newer, iPadPro (all models), iPadAir (3rd generation and newer), iPad (5th generation and newer) and iPadmini (5th generation and newer)
Impact: Processing web content may disclose sensitive information
Description: A buffer overflow issue was addressed through improved memory management.
WebKit Bugz: 254781
CVE-2023-32423: Ignacio Sanmillan (@ulexec)
WebKit
Available for: iPhone8 and newer, iPadPro (all models), iPadAir (3rd generation and newer), iPad (5th generation and newer) and iPadmini (5th generation and newer)
Impact: A remote attacker may be able to bypass the web content sandbox Apple is aware of a report that this issue may be actively being exploited.
Description: The issue was addressed through improved bounds checking.
WebKit Bugz: 255350
CVE-2023-32409: Clément Lecigne von der Threat Analysis Group von Google und Donncha Ó Cearbhaill vom Security Lab von Amnesty International
WebKit
Available for: iPhone8 and newer, iPadPro (all models), iPadAir (3rd generation and newer), iPad (5th generation and newer) and iPadmini (5th generation and newer)
Impact: Processing web content may disclose sensitive information Apple is aware of a report that this issue may be actively being exploited.
Description: An issue that could cause data to be read outside of the allocated range was addressed with improved input validation.
WebKit Bugz: 254930
CVE-2023-28204: An anonymous researcher
This issue was first addressed in Rapid Security Response iOS16.4.1(a) and iPadOS16.4.1(a). WebKit Available for: iPhone8 and newer, iPadPro (all models), iPadAir (3rd generation and newer), iPad (5th generation and newer) and iPadmini (5th generation and newer) Impact: Processing maliciously crafted web content may lead to arbitrary code execution Apple is aware of a report that this issue may be actively being exploited. Description: A use-after-free issue was addressed through improved memory management. WebKit Bugz: 254840 This issue was first addressed in Rapid Security Response iOS16.4.1(a) and iPadOS16.4.1(a). Wi-Fi Available for: iPhone8 and newer, iPadPro (all models), iPadAir (3rd generation and newer), iPad (5th generation and newer) and iPadmini (5th generation and newer) Impact: Kernel memory may be exposed by an app Description: This issue was addressed through improved confidential information blurring. CVE-2023-32389: Pan ZhenPeng (@Peterpan0927) von STAR Labs SG Pte. Ltd.
CVE-2023-32373: An anonymous researcher