CVE-2023-28204 Overview
CVE-2023-28204 is an out-of-bounds read vulnerability in Apple's WebKit browser engine that can lead to sensitive information disclosure when processing maliciously crafted web content. The vulnerability stems from insufficient input validation, allowing attackers to read memory beyond intended boundaries. Apple has acknowledged reports that this vulnerability may have been actively exploited in the wild, and it has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog.
Critical Impact
This actively exploited vulnerability allows remote attackers to disclose sensitive information from device memory by enticing users to visit malicious web content. Organizations should prioritize patching across all affected Apple devices and WebKitGTK+ installations.
Affected Products
- Apple Safari (versions prior to 16.5)
- Apple iOS and iPadOS (versions prior to 16.5 and 15.7.6)
- Apple macOS Ventura (versions prior to 13.4)
- Apple tvOS (versions prior to 16.5)
- Apple watchOS (versions prior to 9.5)
- WebKitGTK+
Discovery Timeline
- June 23, 2023 - CVE-2023-28204 published to NVD
- October 23, 2025 - Last updated in NVD database
Technical Details for CVE-2023-28204
Vulnerability Analysis
CVE-2023-28204 is classified as CWE-125 (Out-of-Bounds Read), a memory corruption vulnerability that occurs when WebKit reads data past the end or before the beginning of an intended buffer. This vulnerability is exploitable remotely over the network and requires user interaction—specifically, the victim must visit a malicious webpage or process attacker-controlled web content.
The out-of-bounds read condition allows attackers to access sensitive information stored in adjacent memory regions. While this vulnerability does not directly enable code execution or system modification, the disclosed information could include cryptographic keys, authentication tokens, or other sensitive data that could be leveraged in subsequent attacks. The confidentiality impact is significant as attackers can potentially exfiltrate high-value data from the victim's device.
Root Cause
The root cause of this vulnerability lies in improper input validation within WebKit's content processing logic. When parsing or rendering certain web content, WebKit failed to properly validate input boundaries before performing memory read operations. This allowed crafted input to trigger read operations beyond allocated buffer boundaries, exposing adjacent memory contents to the attacker.
Attack Vector
The attack vector for CVE-2023-28204 is network-based and requires user interaction. An attacker can exploit this vulnerability by:
- Crafting malicious web content that triggers the out-of-bounds read condition
- Hosting the malicious content on a website or distributing it via other web delivery mechanisms
- Enticing the victim to visit the malicious webpage using a vulnerable browser or application that uses WebKit for rendering
When the vulnerable WebKit engine processes the malicious content, it performs an out-of-bounds read operation, potentially exposing sensitive information from the device's memory. The attacker can then capture this disclosed information through network communication channels embedded in the malicious content.
Given that Apple has acknowledged active exploitation in the wild, threat actors have already weaponized this vulnerability, making immediate patching essential for all affected systems.
Detection Methods for CVE-2023-28204
Indicators of Compromise
- Unusual network traffic patterns from WebKit-based browsers to unfamiliar or suspicious domains
- Browser crashes or unexpected behavior when visiting certain websites
- Anomalous memory access patterns in WebKit processes detected by endpoint protection tools
- Evidence of data exfiltration following web browsing activity
Detection Strategies
- Deploy endpoint detection and response (EDR) solutions capable of monitoring WebKit process behavior for anomalous memory access patterns
- Implement network security monitoring to detect suspicious outbound connections from browser processes
- Use browser isolation technologies to contain potential exploitation attempts
- Monitor system logs for WebKit crash reports or unexpected terminations that may indicate exploitation attempts
Monitoring Recommendations
- Enable comprehensive logging for web browsing activity across all devices running vulnerable WebKit versions
- Configure SIEM rules to alert on patterns consistent with information disclosure attacks
- Implement network traffic analysis to identify potential data exfiltration channels
- Utilize threat intelligence feeds that include indicators associated with WebKit exploitation campaigns
How to Mitigate CVE-2023-28204
Immediate Actions Required
- Update all Apple devices to the latest available versions: iOS/iPadOS 16.5 or 15.7.6, macOS Ventura 13.4, Safari 16.5, tvOS 16.5, and watchOS 9.5
- Update WebKitGTK+ installations on Linux systems to patched versions as referenced in Gentoo GLSA 202401-04
- Implement network-level protections to block access to known malicious domains associated with exploitation
- Consider restricting web browsing on critical systems until patches can be applied
Patch Information
Apple has released security updates addressing this vulnerability across multiple platforms. Organizations should reference the following Apple Support Documents for detailed patching guidance:
- HT213757 - Safari 16.5 security update
- HT213758 - iOS 16.5 and iPadOS 16.5 security update
- HT213761 - macOS Ventura 13.4 security update
- HT213762 - tvOS 16.5 security update
- HT213764 - watchOS 9.5 security update
- HT213765 - iOS 15.7.6 and iPadOS 15.7.6 security update
For Linux distributions using WebKitGTK+, refer to your distribution's security advisory for patched package versions.
Workarounds
- Limit web browsing on affected devices to trusted, known-safe websites until patches can be applied
- Use browser isolation or sandboxing technologies to contain potential exploitation
- Implement strict content security policies where possible to reduce attack surface
- Deploy web proxy solutions that can filter potentially malicious content before it reaches vulnerable endpoints
- Consider using alternative browsers on platforms where WebKit is not the default engine (though this may not be possible on iOS)
# Verify Safari version on macOS (should be 16.5 or later)
/usr/bin/defaults read /Applications/Safari.app/Contents/Info.plist CFBundleShortVersionString
# Check macOS version (should be 13.4 or later for Ventura)
sw_vers -productVersion
# On iOS/iPadOS, navigate to Settings > General > About to verify version 16.5+ or 15.7.6+
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
