CVE-2023-28206 Overview
CVE-2023-28206 is an out-of-bounds write vulnerability affecting multiple Apple operating systems including macOS, iOS, and iPadOS. The vulnerability exists in the IOSurfaceAccelerator component and allows a malicious application to execute arbitrary code with kernel privileges. Apple has confirmed that this vulnerability has been actively exploited in the wild, making immediate patching critical for all affected systems.
Critical Impact
This vulnerability enables kernel-level code execution through a malicious application, allowing complete device compromise. CISA has added this to their Known Exploited Vulnerabilities catalog due to confirmed active exploitation.
Affected Products
- Apple macOS Ventura (versions prior to 13.3.1)
- Apple macOS Monterey (versions prior to 12.6.5)
- Apple macOS Big Sur (versions prior to 11.7.6)
- Apple iOS (versions prior to 16.4.1 and 15.7.5)
- Apple iPadOS (versions prior to 16.4.1 and 15.7.5)
Discovery Timeline
- April 10, 2023 - CVE-2023-28206 published to NVD
- October 23, 2025 - Last updated in NVD database
Technical Details for CVE-2023-28206
Vulnerability Analysis
CVE-2023-28206 is classified as CWE-787 (Out-of-Bounds Write), a memory corruption vulnerability that occurs when the IOSurfaceAccelerator kernel extension writes data past the boundaries of allocated memory buffers. The root cause stems from insufficient input validation when processing requests from user-space applications.
When exploited, this vulnerability allows an attacker to corrupt adjacent memory regions in the kernel heap, potentially overwriting critical kernel data structures. The local attack vector requires user interaction (such as opening a malicious application), but once triggered, the attacker can achieve kernel-level code execution with the highest possible privileges on Apple devices.
This vulnerability was discovered being actively exploited as part of a zero-click attack chain targeting specific individuals. The exploitation technique leverages the memory corruption to gain arbitrary kernel read/write primitives, which can then be used to disable security features, install persistent implants, or extract sensitive data from the device.
Root Cause
The vulnerability originates from improper bounds checking in the IOSurfaceAccelerator kernel extension when handling specially crafted input from user-space applications. The component fails to properly validate the size or boundaries of data being written, allowing an attacker to control the out-of-bounds write offset and data, leading to kernel memory corruption.
Attack Vector
The attack requires local access to the device and user interaction to launch a malicious application. Once the malicious app is running, it can trigger the out-of-bounds write condition in the kernel by sending specially crafted requests to the IOSurfaceAccelerator component.
The vulnerability was reportedly used in targeted attacks as part of a broader exploit chain. Attackers typically combine this kernel vulnerability with an initial code execution vulnerability (such as a WebKit flaw) to achieve full device compromise without requiring physical access beyond convincing the victim to visit a malicious website or open a malicious file.
The exploitation flow typically involves:
- Initial compromise through a separate vulnerability (e.g., browser-based exploit)
- Triggering the IOSurfaceAccelerator out-of-bounds write to corrupt kernel memory
- Achieving arbitrary kernel read/write capabilities
- Disabling security mechanisms and establishing persistence
Detection Methods for CVE-2023-28206
Indicators of Compromise
- Unusual kernel panic or crash reports related to IOSurfaceAccelerator or graphics subsystems
- Unexpected processes running with elevated privileges or attempting to access kernel memory
- Anomalous system behavior following the opening of suspicious applications or visiting untrusted websites
- Evidence of disabled security features such as System Integrity Protection (SIP) or code signing enforcement
Detection Strategies
- Monitor for unusual IOKit service usage patterns, particularly involving IOSurfaceAccelerator
- Implement endpoint detection rules for suspicious memory allocation patterns in kernel space
- Deploy behavioral analysis to detect applications attempting kernel-level operations without legitimate purpose
- Review crash logs and panic reports for indicators of memory corruption in graphics-related kernel extensions
Monitoring Recommendations
- Enable and centralize collection of Apple unified logs, particularly kernel and crash reporter logs
- Monitor Mobile Device Management (MDM) solutions for devices running unpatched iOS/iPadOS versions
- Implement real-time alerting for any detected exploitation attempts or IOC matches
- Conduct regular vulnerability scanning to identify systems missing the critical security patches
How to Mitigate CVE-2023-28206
Immediate Actions Required
- Update all Apple devices to the patched versions immediately: macOS Ventura 13.3.1, macOS Monterey 12.6.5, macOS Big Sur 11.7.6, iOS 16.4.1, iPadOS 16.4.1, iOS 15.7.5, or iPadOS 15.7.5
- Prioritize patching for high-value targets and devices with access to sensitive data
- Review and restrict application installation policies to prevent unauthorized or untrusted apps from running
- Enable automatic updates where feasible to ensure timely deployment of future security patches
Patch Information
Apple has released security updates addressing this vulnerability across all affected platforms. Organizations should apply the following updates:
- macOS Ventura 13.3.1 - Apple Security Update HT213720
- macOS Monterey 12.6.5 - Apple Security Update HT213724
- macOS Big Sur 11.7.6 - Apple Security Update HT213725
- iOS 16.4.1 and iPadOS 16.4.1 - Apple Security Update HT213720
- iOS 15.7.5 and iPadOS 15.7.5 - Apple Security Update HT213723
This vulnerability is tracked in the CISA Known Exploited Vulnerabilities Catalog, requiring federal agencies to remediate by May 1, 2023.
Workarounds
- No complete workarounds exist for this vulnerability; patching is the only effective remediation
- Restrict installation of applications to trusted sources (App Store only) to reduce exposure
- Implement network-level controls to prevent access to known malicious domains associated with exploit delivery
- Consider temporary device isolation for critical systems until patches can be applied
# Check current macOS version
sw_vers -productVersion
# Check for available updates on macOS
softwareupdate --list
# Install all available updates on macOS
sudo softwareupdate --install --all --restart
# For iOS/iPadOS, update via Settings > General > Software Update
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
