CVE-2023-41990 Overview
CVE-2023-41990 is a serious arbitrary code execution vulnerability affecting multiple Apple operating systems. The flaw exists in font file processing where improper handling of caches allows attackers to execute arbitrary code on affected devices. Apple has confirmed that this vulnerability has been actively exploited in the wild against iOS versions released before iOS 15.7.1.
This vulnerability is particularly concerning as it has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating real-world exploitation by threat actors. The local attack vector requires user interaction, typically through opening a maliciously crafted font file, making it suitable for targeted phishing campaigns or watering hole attacks.
Critical Impact
Actively exploited zero-day vulnerability allowing arbitrary code execution through malicious font files on Apple devices. Listed on CISA KEV catalog.
Affected Products
- Apple iOS (versions before 16.3, and 15.x before 15.7.8)
- Apple iPadOS (versions before 16.3, and 15.x before 15.7.8)
- Apple macOS (Monterey before 12.6.8, Big Sur before 11.7.9, Ventura before 13.2)
- Apple tvOS (versions before 16.3)
- Apple watchOS (versions before 9.3)
Discovery Timeline
- September 12, 2023 - CVE-2023-41990 published to NVD
- October 23, 2025 - Last updated in NVD database
Technical Details for CVE-2023-41990
Vulnerability Analysis
This vulnerability stems from improper cache handling within Apple's font processing subsystem. When a specially crafted font file is processed by the operating system, the flawed cache management can be leveraged to achieve arbitrary code execution. The vulnerability affects the core font rendering functionality shared across Apple's ecosystem, which explains why multiple operating systems are impacted.
The attack requires local access and user interaction—typically, a victim must be tricked into opening or processing a malicious font file. This could occur through various delivery mechanisms such as email attachments, malicious documents containing embedded fonts, or compromised web content that triggers font loading.
Given the confirmed active exploitation against iOS versions before 15.7.1, this vulnerability has been weaponized in real-world attacks. The breadth of affected products—spanning mobile, desktop, TV, and wearable platforms—creates a large attack surface for adversaries targeting Apple device users.
Root Cause
The root cause of CVE-2023-41990 lies in improper cache handling within Apple's font processing code. The vulnerability was addressed through improved handling of caches, suggesting that the original implementation contained flaws in how cached data was validated, managed, or sanitized during font parsing operations. This type of issue can lead to memory corruption or other exploitable conditions when processing untrusted font data.
Attack Vector
The attack vector is local with required user interaction. An attacker must craft a malicious font file and deliver it to the target system. Exploitation occurs when the victim's device processes the font file, which can happen through:
- Opening a document containing embedded malicious fonts
- Visiting a web page that loads a crafted web font
- Installing an application bundle containing malicious font resources
- Processing email attachments with embedded fonts
The malicious font file exploits the cache handling flaw to achieve code execution with the privileges of the process handling the font, potentially leading to complete device compromise.
Detection Methods for CVE-2023-41990
Indicators of Compromise
- Unusual font files appearing in system directories or user-accessible locations with suspicious naming conventions
- Unexpected font-related process crashes or abnormal behavior in font rendering services
- Malicious documents (PDF, Office files) containing embedded font resources from untrusted sources
- Network traffic to known malicious infrastructure following font file processing activities
Detection Strategies
- Monitor for unusual file system activity involving font files in non-standard directories
- Implement behavioral analysis to detect anomalous process spawning from font rendering processes
- Deploy endpoint detection rules targeting exploitation of Apple font subsystem components
- Analyze application logs for font parsing errors or crashes that may indicate exploitation attempts
Monitoring Recommendations
- Enable comprehensive logging on Apple endpoints to capture font processing events
- Implement SentinelOne's behavioral AI to detect post-exploitation activity following font-based attacks
- Monitor for privilege escalation attempts following document or web content processing
- Track updates to CISA KEV catalog for new exploitation intelligence related to this vulnerability
How to Mitigate CVE-2023-41990
Immediate Actions Required
- Update all Apple devices to the latest patched versions immediately: iOS 16.3+, iPadOS 16.3+, macOS Ventura 13.2+, macOS Monterey 12.6.8+, macOS Big Sur 11.7.9+, tvOS 16.3+, watchOS 9.3+
- For legacy devices unable to run the latest OS, update to iOS 15.7.8 or iPadOS 15.7.8 minimum
- Enable automatic updates on all Apple devices to ensure timely patch deployment
- Exercise caution with untrusted documents, email attachments, and web content that may contain malicious fonts
Patch Information
Apple has released security updates addressing this vulnerability across all affected platforms. Detailed patch information is available through Apple Security Advisory HT213599, Apple Security Advisory HT213601, Apple Security Advisory HT213605, and additional advisories for macOS versions at HT213842, HT213844, and HT213845. This vulnerability is tracked in the CISA Known Exploited Vulnerabilities Catalog, requiring federal agencies to remediate by the specified deadline.
Workarounds
- Restrict access to untrusted font files through Mobile Device Management (MDM) policies where possible
- Implement network-level filtering to block known malicious file types and suspicious document downloads
- Use application sandboxing and least-privilege configurations to limit impact of successful exploitation
- Deploy SentinelOne Singularity platform for real-time behavioral detection and automated response capabilities
# Verify Apple device software version on macOS
sw_vers -productVersion
# Check for available updates on macOS
softwareupdate --list
# Install all available updates
softwareupdate --install --all
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
