CVE-2023-42916: Apple Multiple Products WebKit Out-of-Bounds Read Vulnerability
First published: Thu Nov 30 2023(Updated: )
An out-of-bounds read was addressed with improved input validation. This issue is fixed in iOS 17.1.2 and iPadOS 17.1.2, macOS Sonoma 14.1.2, Safari 17.1.2. Processing web content may disclose sensitive information. Apple is aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1.
Credit: product-security@apple.com product-security@apple.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apple macOS Sonoma | <14.1.2 | 14.1.2 |
| Apple Safari | <17.1.2 | 17.1.2 |
| Apple iOS | <17.1.2 | 17.1.2 |
| Apple iPadOS | <17.1.2 | 17.1.2 |
| Apple iOS | <15.8.1 | 15.8.1 |
| Apple iPadOS | <15.8.1 | 15.8.1 |
| Apple iPhone | ||
| Apple Mac | ||
| Apple TV | ||
| Apple watch | ||
| Apple iOS | <16.7.3 | 16.7.3 |
| Apple iPadOS | <16.7.3 | 16.7.3 |
| ubuntu/webkit2gtk | <2.42.3-0ubuntu0.22.04.1 | 2.42.3-0ubuntu0.22.04.1 |
| ubuntu/webkit2gtk | <2.42.3-0ubuntu0.23.04.1 | 2.42.3-0ubuntu0.23.04.1 |
| ubuntu/webkit2gtk | <2.42.3-0ubuntu0.23.10.1 | 2.42.3-0ubuntu0.23.10.1 |
| ubuntu/webkit2gtk | <2.42.3 | 2.42.3 |
| debian/webkit2gtk | <=2.36.4-1~deb10u1<=2.38.6-0+deb10u1<=2.42.2-1~deb11u1<=2.42.2-1~deb12u1 | 2.42.5-1~deb11u1 2.42.5-1~deb12u1 2.42.5-1 2.44.1-1 |
| debian/wpewebkit | <=2.38.6-1~deb11u1<=2.38.6-1 | 2.42.5-1 2.44.1-1 |
| Apple watchOS | <10.2 | 10.2 |
| Apple tvOS | <17.2 | 17.2 |
| Apple Multiple Products | ||
| Apple Safari | <17.1.2 | |
| Apple iPadOS | <15.8.1 | |
| Apple iPadOS | >=16.0<16.7.3 | |
| Apple iPadOS | >=17.0<17.1.2 | |
| Apple iPhone OS | <15.8.1 | |
| Apple iPhone OS | >=16.0<16.7.3 | |
| Apple iPhone OS | >=17.0<17.1.2 | |
| Apple macOS | >=14.0<14.1.2 | |
| Fedoraproject Fedora | =38 | |
| Fedoraproject Fedora | =39 | |
| Debian Debian Linux | =11.0 | |
| Debian Debian Linux | =12.0 | |
| Webkitgtk Webkitgtk\+ | <2.42.3 | |
| <17.1.2 | ||
| <15.8.1 | ||
| >=16.0<16.7.3 | ||
| >=17.0<17.1.2 | ||
| <15.8.1 | ||
| >=16.0<16.7.3 | ||
| >=17.0<17.1.2 | ||
| >=14.0<14.1.2 | ||
| =38 | ||
| =39 | ||
| =11.0 | ||
| =12.0 | ||
| <2.42.3 |
Remedy
Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://support.apple.com/en-us/HT214032 (Advisory)
- https://support.apple.com/en-us/HT214033 (Advisory)
- https://support.apple.com/en-us/HT214031 (Advisory)
- https://www.bleepingcomputer.com/news/security/cisa-warns-of-patched-iphone-kernel-bug-now-exploited-in-attacks/
- http://www.openwall.com/lists/oss-security/2023/12/05/1
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AD2KIHHCUBQC2YYH3FJWAHI5BG3QETOH/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P5LQS6VEI7VIZNC7QGQ62EOV45R5RJIR/
- https://www.debian.org/security/2023/dsa-5575
- http://seclists.org/fulldisclosure/2023/Dec/3
- http://seclists.org/fulldisclosure/2023/Dec/4
- http://seclists.org/fulldisclosure/2023/Dec/5
- http://seclists.org/fulldisclosure/2023/Dec/8
- http://seclists.org/fulldisclosure/2023/Dec/12
- http://seclists.org/fulldisclosure/2023/Dec/13
- https://security.gentoo.org/glsa/202401-04
- http://seclists.org/fulldisclosure/2024/Jan/35
- https://launchpad.net/bugs/cve/CVE-2023-42916
- https://support.apple.com/en-us/HT214062 (Advisory)
- https://support.apple.com/en-us/HT214041 (Advisory)
- https://support.apple.com/en-us/HT214040 (Advisory)
- https://support.apple.com/en-us/HT214034 (Advisory)
- https://webkitgtk.org/security/WSA-2023-0011.html
- https://ubuntu.com/security/notices/USN-6545-1
- https://www.cve.org/CVERecord?id=CVE-2023-42916
- https://nvd.nist.gov/vuln/detail/CVE-2023-42916
- https://security-tracker.debian.org/tracker/CVE-2023-42916
- https://ubuntu.com/security/CVE-2023-42916
- https://support.apple.com/en-us/HT214031,
- https://support.apple.com/en-us/HT214032,
- https://support.apple.com/kb/HT214062
- https://support.apple.com/kb/HT214033
- https://support.apple.com/kb/HT214034
Parent vulnerabilities
(Appears in the following advisories)
Peer vulnerabilities
(Found alongside the following vulnerabilities)
- CVE-2023-42916
- CVE-2023-42917
- CVE-2022-48618
- CVE-2024-23222
- CVE-2023-42919
- CVE-2023-42896
- CVE-2023-42884
- CVE-2023-42962
- CVE-2023-42922
- CVE-2023-42899
- CVE-2023-42974
- CVE-2023-42914
- CVE-2023-42893
- CVE-2023-42883
- CVE-2023-42937
- CVE-2023-42898
- CVE-2023-42888
- CVE-2023-42936
- CVE-2023-42947
- CVE-2023-40389
- CVE-2023-42890
- CVE-2023-42950
Frequently Asked Questions
What is the vulnerability ID for this issue?
The vulnerability ID for this issue is CVE-2023-42916.
What is the title of this vulnerability?
The title of this vulnerability is 'WebKit. An out-of-bounds read was addressed with improved input validation.'
What is the severity of CVE-2023-42916?
The severity of CVE-2023-42916 is not mentioned in the description.
How can this vulnerability be exploited?
This vulnerability can be exploited by processing web content, which may disclose sensitive information.
How can I fix this vulnerability?
To fix this vulnerability, update to the latest versions of affected software: iOS 17.1.2 and iPadOS 17.1.2, macOS Sonoma 14.1.2, and Safari 17.1.2.
- agent/type
- agent/first-publish-date
- agent/author
- agent/remedy
- agent/title
- agent/weakness
- collector/apple-support
- source/Apple
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- collector/bleeping-computer
- source/BleepingComputer
- alias/CVE-2022-48618
- alias/CVE-2024-23222
- alias/CVE-2023-42916
- alias/CVE-2023-42917
- agent/severity
- collector/launchpad-cve
- source/Launchpad
- agent/news-ai
- collector/usn-cve
- source/Ubuntu
- collector/security-tracker-debian
- source/Debian
- agent/description
- agent/references
- collector/mitre-cve
- source/MITRE
- exploited/true
- collector/cisa-known-exploited
- source/CISA
- agent/tags
- agent/event
- collector/nvd-api
- source/NVD
- agent/last-modified-date
- agent/softwarecombine
- collector/nvd-cve
- agent/trending
- vendor/apple
- canonical/apple macos sonoma
- canonical/apple safari
- canonical/apple ios
- canonical/apple ipados
- canonical/apple iphone
- canonical/apple mac
- canonical/apple tv
- canonical/apple watch
- package-manager/ubuntu
- package-manager/debian
- canonical/apple watchos
- canonical/apple tvos
- canonical/apple multiple products
- version/apple ipados/16.0
- version/apple ipados/17.0
- canonical/apple iphone os
- version/apple iphone os/16.0
- version/apple iphone os/17.0
- canonical/apple macos
- version/apple macos/14.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/38
- version/fedoraproject fedora/39
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/11.0
- version/debian debian linux/12.0
- vendor/webkitgtk
- canonical/webkitgtk webkitgtk\+