CVE-2023-41990 Overview
CVE-2023-41990 is a font-processing vulnerability affecting multiple Apple operating systems. Processing a maliciously crafted font file can lead to arbitrary code execution on the target device. Apple addressed the issue with improved handling of caches across iOS, iPadOS, macOS, tvOS, and watchOS.
The vulnerability is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog. Apple confirmed reports that the issue may have been actively exploited against versions of iOS released before iOS 15.7.1, making it a confirmed in-the-wild zero-day before patching.
Critical Impact
Successful exploitation grants arbitrary code execution in the context of the application processing the font, with confirmed in-the-wild abuse against iOS devices prior to iOS 15.7.1.
Affected Products
- Apple iOS and iPadOS (versions prior to 16.3, and 15.7.8)
- Apple macOS Monterey 12.6.8, macOS Big Sur 11.7.9, macOS Ventura 13.2
- Apple tvOS 16.3 and watchOS 9.3
Discovery Timeline
- 2023-09-12 - CVE-2023-41990 published to NVD
- 2025-10-23 - Last updated in NVD database
Technical Details for CVE-2023-41990
Vulnerability Analysis
The flaw resides in Apple's font-handling code path, where parsing a crafted font file leads to memory corruption that an attacker can convert into arbitrary code execution. Apple described the remediation as "improved handling of caches," indicating the root cause involved unsafe state retention or stale cache references during font processing.
Exploitation requires the victim to process an attacker-supplied font, typically through opening a document, visiting a page, or rendering a message containing the malicious font. Because font parsing runs in client applications and system services, successful exploitation enables an attacker to execute code with the privileges of the parsing process. The vulnerability has been used as part of in-the-wild attack chains against older iOS versions.
Root Cause
The root cause is improper handling of cached objects during font processing [CWE-noinfo]. When the system fails to correctly invalidate or validate cached font data, an attacker-controlled font can cause the renderer to operate on stale or attacker-controlled state, producing memory corruption suitable for code execution.
Attack Vector
The attack vector is local and requires user interaction. A target must open or render a crafted font file, often delivered through documents, web content, or messaging applications. Once the font is processed, the cache-handling defect is triggered and the attacker gains code execution within the host process.
No verified public proof-of-concept code is available. For technical details on the affected components and remediation, refer to the Apple Security Update HT213599 and the corresponding advisories for each platform.
Detection Methods for CVE-2023-41990
Indicators of Compromise
- Unexpected font files (.ttf, .otf) delivered via email, messaging, or web downloads to iOS, iPadOS, or macOS endpoints.
- Crashes or anomalous behavior in system font services (such as fontd) or applications that render rich documents on unpatched Apple devices.
- Outbound network connections from mobile or desktop applications immediately following the opening of a document containing embedded fonts.
Detection Strategies
- Inspect inbound document and web traffic for embedded fonts with malformed tables or unusual cache-related structures.
- Correlate font-rendering process crashes with subsequent process spawns or persistence activity on macOS endpoints.
- Use the CISA KEV catalog entry for CVE-2023-41990 to prioritize asset inventory checks for unpatched Apple OS versions.
Monitoring Recommendations
- Track Apple OS versions across managed fleets and flag devices running below the patched builds (iOS/iPadOS 16.3 or 15.7.8, macOS Ventura 13.2, Monterey 12.6.8, Big Sur 11.7.9, tvOS 16.3, watchOS 9.3).
- Monitor mobile device management (MDM) telemetry for delayed OS update compliance, especially on executive and high-risk user devices.
- Alert on unusual file types arriving through messaging or collaboration platforms where font payloads have historically been used in exploit chains.
How to Mitigate CVE-2023-41990
Immediate Actions Required
- Update all Apple devices to the fixed builds: iOS/iPadOS 16.3 or 15.7.8, macOS Ventura 13.2, macOS Monterey 12.6.8, macOS Big Sur 11.7.9, tvOS 16.3, and watchOS 9.3.
- Prioritize patching of devices that handle untrusted documents, web content, or messaging attachments, given confirmed in-the-wild exploitation.
- Enforce update compliance through MDM and block non-compliant devices from sensitive corporate resources until remediated.
Patch Information
Apple released fixes across affected platforms. Refer to the official advisories: Apple Security Update HT213599, HT213601, HT213605, HT213606, HT213842, HT213844, and HT213845.
Workarounds
- No vendor-supplied workaround exists; applying the official OS update is the only complete mitigation.
- Restrict opening of untrusted documents and font files on unpatched devices until updates are deployed.
- Use email and web gateway controls to strip or quarantine attachments containing embedded fonts from untrusted senders.
# Verify Apple device OS version compliance (macOS example)
sw_vers -productVersion
# Expected minimum versions:
# macOS Ventura 13.2
# macOS Monterey 12.6.8
# macOS Big Sur 11.7.9
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
