CVE-2023-38600

HIGH

Safari < 16.6 - Remote Code Execution

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-38600. PoCs published by afrojack1.

AI-analyzed exploit summary This PoC exploits CVE-2023-38600, a vulnerability in Safari's ArrayBuffer implementation. It manipulates buffer resizing during a copyWithin operation to trigger a type confusion, potentially leading to memory corruption.

Description

The issue was addressed with improved checks. This issue is fixed in iOS 16.6 and iPadOS 16.6, tvOS 16.6, macOS Ventura 13.5, Safari 16.6, watchOS 9.6. Processing web content may lead to arbitrary code execution.

Exploits (1)

nomisec WORKING POC
by afrojack1 · poc
https://github.com/afrojack1/cve202338600test.github.io

This PoC exploits CVE-2023-38600, a vulnerability in Safari's ArrayBuffer implementation. It manipulates buffer resizing during a copyWithin operation to trigger a type confusion, potentially leading to memory corruption.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Safari (WebKit) with resizable ArrayBuffer support
No auth needed
Prerequisites: Safari browser with resizable ArrayBuffer support
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (10)

Core 10

Scores

CVSS v3 8.8
EPSS 0.0135
EPSS Percentile 67.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

Status published
Products (6)
apple/ipados < 16.6
apple/iphone_os < 16.6
apple/macos 13.0 - 13.5
apple/safari < 16.6
apple/tvos < 16.6
apple/watchos < 9.6
Published Jul 27, 2023
Tracked Since Feb 18, 2026