CVE-2023-41990
HIGH KEViPadOS < 15.7.8 - Remote Code Execution via Font File Processing
Title source: llmExploitation Summary
CVE-2023-41990 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added January 8, 2024.
Description
The issue was addressed with improved handling of caches. This issue is fixed in tvOS 16.3, iOS 16.3 and iPadOS 16.3, macOS Monterey 12.6.8, macOS Big Sur 11.7.9, iOS 15.7.8 and iPadOS 15.7.8, macOS Ventura 13.2, watchOS 9.3. Processing a font file may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.1.
References (8)
Core 8
Core References
Vendor Advisory
https://support.apple.com/en-us/HT213599
Vendor Advisory
https://support.apple.com/en-us/HT213601
Vendor Advisory
https://support.apple.com/en-us/HT213605
Vendor Advisory
https://support.apple.com/en-us/HT213606
Vendor Advisory
https://support.apple.com/en-us/HT213842
Vendor Advisory
https://support.apple.com/en-us/HT213844
Vendor Advisory
https://support.apple.com/en-us/HT213845
US Government Resource
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-41990
Scores
CVSS v3
7.8
EPSS
0.0268
EPSS Percentile
86.2%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
active
Automatable
no
Technical Impact
total
Details
CISA KEV
2024-01-08
VulnCheck KEV
2023-01-23
InTheWild.io
2023-07-24
ENISA EUVD
EUVD-2023-46449
Status
published
Products (5)
apple/ipados
< 15.7.8
apple/iphone_os
< 15.7.8
apple/macos
< 11.7.9
apple/tvos
< 16.3
apple/watchos
< 9.3
Published
Sep 12, 2023
KEV Added
Jan 08, 2024
Tracked Since
Feb 18, 2026