Apple Multiple Products WebKit Use-After-Free Vulnerability
Summary
| CVE | CVE-2023-28205 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2023-04-10 19:15:00 UTC |
| Updated | 2023-07-27 04:15:00 UTC |
| Description | A use after free issue was addressed with improved memory management. This issue is fixed in Safari 16.4.1, iOS 15.7.5 and iPadOS 15.7.5, iOS 16.4.1 and iPadOS 16.4.1, macOS Ventura 13.3.1. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. |
Risk And Classification
EPSS: 0.001120000 probability, percentile 0.297590000 (date 2026-04-01)
CISA KEV: Listed on 2023-04-10; due 2023-05-01; ransomware use Unknown
Problem Types: CWE-416
CISA Known Exploited Vulnerability
| Vendor | Apple |
|---|---|
| Product | Multiple Products |
| Name | Apple Multiple Products WebKit Use-After-Free Vulnerability |
| Required Action | Apply updates per vendor instructions. |
| Notes | https://support.apple.com/en-us/HT213720,https://support.apple.com/en-us/HT213721,https://support.apple.com/en-us/HT213722,https://support.apple.com/en-us/HT213723; https://nvd.nist.gov/vuln/detail/CVE-2023-28205 |
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| About the security content of Safari 16.4.1 - Apple Support | MISC | support.apple.com | Release Notes |
| Full Disclosure: APPLE-SA-2023-04-07-3 Safari 16.4.1 | FULLDISC | seclists.org | Mailing List, Release Notes |
| WebKitGTK+: Multiple Vulnerabilities (GLSA 202305-32) — Gentoo security | GENTOO | security.gentoo.org | |
| About the security content of iOS 15.7.5 and iPadOS 15.7.5 - Apple Support | MISC | support.apple.com | Release Notes |
| About the security content of macOS Ventura 13.3.1 - Apple Support | MISC | support.apple.com | Release Notes |
| Debian -- Security Information -- DSA-5397-1 wpewebkit | DEBIAN | www.debian.org | |
| About the security content of iOS 16.4.1 and iPadOS 16.4.1 - Apple Support | MISC | support.apple.com | Release Notes |
| Full Disclosure: APPLE-SA-2023-04-07-2 macOS Ventura 13.3.1 | FULLDISC | seclists.org | Mailing List, Release Notes |
| [SECURITY] Fedora 37 Update: webkitgtk-2.40.1-1.fc37 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| [SECURITY] [DLA 3419-1] webkit2gtk security update | MLIST | lists.debian.org | |
| oss-security - WebKitGTK and WPE WebKit Security Advisory WSA-2023-0003 | MLIST | www.openwall.com | |
| [SECURITY] Fedora 36 Update: webkit2gtk3-2.40.1-1.fc36 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| Full Disclosure: APPLE-SA-2023-04-10-1 iOS 15.7.5 and iPadOS 15.7.5 | FULLDISC | seclists.org | Mailing List, Release Notes |
| Debian -- Security Information -- DSA-5396-1 webkit2gtk | DEBIAN | www.debian.org | |
| [SECURITY] Fedora 38 Update: webkitgtk-2.40.1-1.fc38 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| Full Disclosure: APPLE-SA-2023-04-07-1 iOS 16.4.1 and iPadOS 16.4.1 | FULLDISC | seclists.org | Mailing List, Release Notes |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
| CISA Known Exploited Vulnerabilities catalog | CISA | www.cisa.gov | kev |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 160560 Oracle Enterprise Linux Security Update for webkit2gtk3 (ELSA-2023-1918)
- 160561 Oracle Enterprise Linux Security Update for webkit2gtk3 (ELSA-2023-1919)
- 181769 Debian Security Update for wpewebkit (DSA 5397-1)
- 181770 Debian Security Update for webkit2gtk (DSA 5396-1)
- 181780 Debian Security Update for webkit2gtk (DLA 3419-1)
- 182111 Debian Security Update for webkit2gtkwpewebkit (CVE-2023-28205)
- 199324 Ubuntu Security Notification for WebKitGTK Vulnerabilities (USN-6061-1)
- 241371 Red Hat Update for webkit2gtk3 (RHSA-2023:1918)
- 241373 Red Hat Update for webkit2gtk3 (RHSA-2023:1919)
- 283955 Fedora Security Update for webkitgtk (FEDORA-2023-a4bbf02a57)
- 283958 Fedora Security Update for webkit2gtk3 (FEDORA-2023-8900b35c6f)
- 284163 Fedora Security Update for webkitgtk (FEDORA-2023-5b61346bbe)
- 355438 Amazon Linux Security Advisory for webkitgtk4 : ALAS2-2023-2088
- 378364 Apple macOS Ventura 13.3.1 Not Installed (HT213721)
- 378365 Apple Safari Security update (HT213722)
- 378470 Alibaba Cloud Linux Security Update for webkit2gtk3 (ALINUX3-SA-2023:0040)
- 610477 Apple iOS 16.4.1 and iPadOS 16.4.1 Security Update Missing (HT213720)
- 610478 Apple iOS 15.7.5 and iPadOS 15.7.5 Security Update Missing (HT213723)
- 710737 Gentoo Linux WebKitGTK+ Multiple Vulnerabilities (GLSA 202305-32)
- 753948 SUSE Enterprise Linux Security Update for webkit2gtk3 (SUSE-SU-2023:2056-1)
- 753959 SUSE Enterprise Linux Security Update for webkit2gtk3 (SUSE-SU-2023:2078-1)
- 753960 SUSE Enterprise Linux Security Update for webkit2gtk3 (SUSE-SU-2023:2077-1)
- 940992 AlmaLinux Security Update for webkit2gtk3 (ALSA-2023:1919)
- 940995 AlmaLinux Security Update for webkit2gtk3 (ALSA-2023:1918)
- 960912 Rocky Linux Security Update for webkit2gtk3 (RLSA-2023:1918)
- 960915 Rocky Linux Security Update for webkit2gtk3 (RLSA-2023:1919)