About Apple security updates
For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page.
Apple security documents reference vulnerabilities by CVE-ID when possible.
For more information about security, see the Apple Product Security page.
macOS Ventura 13.3
Released March 27, 2023
AMD
Available for: macOS Ventura
Impact: An app may be able to cause unexpected system termination or write kernel memory
Description: The issue was addressed with improved bounds checks.
CVE-2023-32436: ABC Research s.r.o.
Entry added October 31, 2023
AMD
Available for: macOS Ventura
Impact: An app may be able to cause unexpected system termination or write kernel memory
Description: A buffer overflow issue was addressed with improved memory handling.
CVE-2023-27968: ABC Research s.r.o.
CVE-2023-28209: ABC Research s.r.o.
CVE-2023-28210: ABC Research s.r.o.
CVE-2023-28211: ABC Research s.r.o.
CVE-2023-28212: ABC Research s.r.o.
CVE-2023-28213: ABC Research s.r.o.
CVE-2023-28214: ABC Research s.r.o.
CVE-2023-28215: ABC Research s.r.o.
CVE-2023-32356: ABC Research s.r.o.
Entry added September 5, 2023
Apple Neural Engine
Available for: macOS Ventura
Impact: An app may be able to break out of its sandbox
Description: This issue was addressed with improved checks.
CVE-2023-23532: Mohamed Ghannam (@_simo36)
AppleMobileFileIntegrity
Available for: macOS Ventura
Impact: A user may gain access to protected parts of the file system
Description: The issue was addressed with improved checks.
CVE-2023-23527: Mickey Jin (@patch1t)
AppleMobileFileIntegrity
Available for: macOS Ventura
Impact: An app may be able to access user-sensitive data
Description: This issue was addressed by removing the vulnerable code.
CVE-2023-27931: Mickey Jin (@patch1t)
AppleScript
Available for: macOS Ventura
Impact: Processing a maliciously crafted AppleScript binary may result in unexpected app termination or disclosure of process memory
Description: The issue was addressed with improved memory handling.
CVE-2023-28179: Mickey Jin (@patch1t)
Entry added August 1, 2023
App Store
Available for: macOS Ventura
Impact: An app may be able to read sensitive location information
Description: A privacy issue was addressed with improved private data redaction for log entries.
CVE-2023-42830: an anonymous researcher
Entry added December 21, 2023
Archive Utility
Available for: macOS Ventura
Impact: An archive may be able to bypass Gatekeeper
Description: The issue was addressed with improved checks.
CVE-2023-27951: Brandon Dalton (@partyD0lphin) of Red Canary, Chan Shue Long, and Csaba Fitzl (@theevilbit) of Offensive Security
Entry updated September 5, 2023
Calendar
Available for: macOS Ventura
Impact: Importing a maliciously crafted calendar invitation may exfiltrate user information
Description: Multiple validation issues were addressed with improved input sanitization.
CVE-2023-27961: Rıza Sabuncu (@rizasabuncu)
Entry updated September 5, 2023
Camera
Available for: macOS Ventura
Impact: A sandboxed app may be able to determine which app is currently using the camera
Description: The issue was addressed with additional restrictions on the observability of app states.
CVE-2023-23543: Yiğit Can YILMAZ (@yilmazcanyigit)
Carbon Core
Available for: macOS Ventura
Impact: Processing a maliciously crafted image may result in disclosure of process memory
Description: The issue was addressed with improved checks.
CVE-2023-23534: Mickey Jin (@patch1t)
ColorSync
Available for: macOS Ventura
Impact: An app may be able to read arbitrary files
Description: The issue was addressed with improved checks.
CVE-2023-27955: JeongOhKyea
CommCenter
Available for: macOS Ventura
Impact: An app may be able to cause unexpected system termination or write kernel memory
Description: An out-of-bounds write issue was addressed with improved input validation.
CVE-2023-27936: Tingting Yin of Tsinghua University
CoreCapture
Available for: macOS Ventura
Impact: An app may be able to execute arbitrary code with kernel privileges
Description: The issue was addressed with improved memory handling.
CVE-2023-28181: Tingting Yin of Tsinghua University
Crash Reporter
Available for: macOS Ventura
Impact: An app may be able to gain root privileges
Description: A logic issue was addressed with improved checks.
CVE-2023-32426: Junoh Lee at Theori
Entry added September 5, 2023
curl
Available for: macOS Ventura
Impact: Multiple issues in curl
Description: Multiple issues were addressed by updating curl.
CVE-2022-43551
CVE-2022-43552
dcerpc
Available for: macOS Ventura
Impact: A remote attacker may be able to cause unexpected app termination or arbitrary code execution
Description: A memory initialization issue was addressed.
CVE-2023-27934: Aleksandar Nikolic of Cisco Talos
Entry updated June 8, 2023
dcerpc
Available for: macOS Ventura
Impact: A user in a privileged network position may be able to cause a denial-of-service
Description: A denial-of-service issue was addressed with improved memory handling.
CVE-2023-28180: Aleksandar Nikolic of Cisco Talos
dcerpc
Available for: macOS Ventura
Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution
Description: The issue was addressed with improved bounds checks.
CVE-2023-27935: Aleksandar Nikolic of Cisco Talos
dcerpc
Available for: macOS Ventura
Impact: A remote user may be able to cause unexpected system termination or corrupt kernel memory
Description: The issue was addressed with improved memory handling.
CVE-2023-27953: Aleksandar Nikolic of Cisco Talos
CVE-2023-27958: Aleksandar Nikolic of Cisco Talos
DesktopServices
Available for: macOS Ventura
Impact: An app may bypass Gatekeeper checks
Description: A logic issue was addressed with improved checks.
CVE-2023-40433: Mikko Kenttälä (@Turmio_ ) of SensorFu
Entry added December 21, 2023
FaceTime
Available for: macOS Ventura
Impact: An app may be able to access user-sensitive data
Description: A privacy issue was addressed by moving sensitive data to a more secure location.
CVE-2023-28190: Joshua Jones
Find My
Available for: macOS Ventura
Impact: An app may be able to read sensitive location information
Description: A privacy issue was addressed with improved private data redaction for log entries.
CVE-2023-23537: Adam M.
CVE-2023-28195: Adam M.
Entry added September 5, 2023, updated December 21, 2023
FontParser
Available for: macOS Ventura
Impact: Processing a maliciously crafted image may result in disclosure of process memory
Description: The issue was addressed with improved memory handling.
CVE-2023-27956: Ye Zhang (@VAR10CK) of Baidu Security
Entry updated October 31, 2023
FontParser
Available for: macOS Ventura
Impact: Processing a font file may lead to arbitrary code execution
Description: An out-of-bounds write issue was addressed with improved input validation.
CVE-2023-32366: Ye Zhang (@VAR10CK) of Baidu Security
Entry added October 31, 2023
Foundation
Available for: macOS Ventura
Impact: Parsing a maliciously crafted plist may lead to an unexpected app termination or arbitrary code execution
Description: An integer overflow was addressed with improved input validation.
CVE-2023-27937: an anonymous researcher
iCloud
Available for: macOS Ventura
Impact: A file from an iCloud shared-by-me folder may be able to bypass Gatekeeper
Description: This was addressed with additional checks by Gatekeeper on files downloaded from an iCloud shared-by-me folder.
CVE-2023-23526: Jubaer Alnazi of TRS Group of Companies
Identity Services
Available for: macOS Ventura
Impact: An app may be able to access information about a user’s contacts
Description: A privacy issue was addressed with improved private data redaction for log entries.
CVE-2023-27928: Csaba Fitzl (@theevilbit) of Offensive Security
ImageIO
Available for: macOS Ventura
Impact: Processing an image may result in disclosure of process memory
Description: An out-of-bounds read was addressed with improved input validation.
CVE-2023-27939: jzhu working with Trend Micro Zero Day Initiative
CVE-2023-27947: Meysam Firouzi @R00tkitSMM of Mbition Mercedes-Benz Innovation Lab
CVE-2023-27948: Meysam Firouzi (@R00tkitSMM) of Mbition Mercedes-Benz Innovation Lab
CVE-2023-42862: Meysam Firouzi (@R00tkitSMM) of Mbition Mercedes-Benz Innovation Lab
CVE-2023-42865: jzhu working with Trend Micro Zero Day Initiative and Meysam Firouzi (@R00tkitSMM) of Mbition Mercedes-Benz Innovation Lab
Entry added August 1, 2023, updated December 21, 2023
ImageIO
Available for: macOS Ventura
Impact: Processing a maliciously crafted image may result in disclosure of process memory
Description: The issue was addressed with improved memory handling.
CVE-2023-23535: ryuzaki
ImageIO
Available for: macOS Ventura
Impact: Processing a maliciously crafted image may result in disclosure of process memory
Description: An out-of-bounds read was addressed with improved input validation.
CVE-2023-27929: Meysam Firouzi (@R00tkitSMM) of Mbition Mercedes-Benz Innovation Lab and jzhu working with Trend Micro Zero Day Initiative
ImageIO
Available for: macOS Ventura
Impact: Processing a maliciously crafted file may lead to unexpected app termination or arbitrary code execution
Description: An out-of-bounds read was addressed with improved bounds checking.
CVE-2023-27946: Mickey Jin (@patch1t)
ImageIO
Available for: macOS Ventura
Impact: Processing a maliciously crafted file may lead to unexpected app termination or arbitrary code execution
Description: A buffer overflow issue was addressed with improved memory handling.
CVE-2023-27957: Yiğit Can YILMAZ (@yilmazcanyigit)
IOAcceleratorFamily
Available for: macOS Ventura
Impact: An app may be able to execute arbitrary code with kernel privileges
Description: A use-after-free issue was addressed with improved memory management.
CVE-2023-32378: Murray Mike
Entry added October 31, 2023
Kernel
Available for: macOS Ventura
Impact: A user may be able to cause a denial-of-service
Description: This issue was addressed with improved state management.
CVE-2023-28187: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte. Ltd.
Entry added September 5, 2023
Kernel
Available for: macOS Ventura
Impact: An app may be able to disclose kernel memory
Description: An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed with improved input validation.
CVE-2023-27941: Arsenii Kostromin (0x3c3e)
CVE-2023-28199: Arsenii Kostromin (0x3c3e)
Entry added August 1, 2023, updated October 31, 2023
Kernel
Available for: macOS Ventura
Impact: An app may be able to execute arbitrary code with kernel privileges
Description: The issue was addressed with improved bounds checks.
CVE-2023-23536: Félix Poulin-Bélanger and David Pan Ogea
Entry added May 1, 2023, updated October 31, 2023
Kernel
Available for: macOS Ventura
Impact: An app may be able to execute arbitrary code with kernel privileges
Description: A use after free issue was addressed with improved memory management.
CVE-2023-23514: Xinru Chi of Pangu Lab and Ned Williamson of Google Project Zero
CVE-2023-27969: Adam Doupé of ASU SEFCOM
Kernel
Available for: macOS Ventura
Impact: An app with root privileges may be able to execute arbitrary code with kernel privileges
Description: The issue was addressed with improved memory handling.
CVE-2023-27933: sqrtpwn
Kernel
Available for: macOS Ventura
Impact: An app may be able to disclose kernel memory
Description: A validation issue was addressed with improved input sanitization.
CVE-2023-28200: Arsenii Kostromin (0x3c3e)
LaunchServices
Available for: macOS Ventura
Impact: Files downloaded from the internet may not have the quarantine flag applied
Description: This issue was addressed with improved checks.
CVE-2023-27943: an anonymous researcher, Brandon Dalton (@partyD0lphin) of Red Canary, Milan Tenk, and Arthur Valiev of F-Secure Corporation
Entry updated October 31, 2023
LaunchServices
Available for: macOS Ventura
Impact: An app may be able to gain root privileges
Description: This issue was addressed with improved checks.
CVE-2023-23525: Mickey Jin (@patch1t)
libc
Available for: macOS Ventura
Impact: An app may be able to access user-sensitive data
Description: A path handling issue was addressed with improved validation.
CVE-2023-40383: Mickey Jin (@patch1t)
Entry added October 31, 2023
libpthread
Available for: macOS Ventura
Impact: An app may be able to execute arbitrary code with kernel privileges
Description: A type confusion issue was addressed with improved checks.
CVE-2023-41075: Zweig of Kunlun Lab
Entry added December 21, 2023
Available for: macOS Ventura
Impact: An app may be able to view sensitive information
Description: The issue was addressed with improved checks.
CVE-2023-28189: Mickey Jin (@patch1t)
Entry added May 1, 2023
Messages
Available for: macOS Ventura
Impact: An app may be able to access user-sensitive data
Description: An access issue was addressed with additional sandbox restrictions.
CVE-2023-28197: Joshua Jones
Entry added October 31, 2023
Model I/O
Available for: macOS Ventura
Impact: Processing an image may result in disclosure of process memory
Description: An out-of-bounds read was addressed with improved input validation.
CVE-2023-27950: Mickey Jin (@patch1t)
Entry added September 5, 2023
Model I/O
Available for: macOS Ventura
Impact: Processing a maliciously crafted file may lead to unexpected app termination or arbitrary code execution
Description: An out-of-bounds read was addressed with improved input validation.
CVE-2023-27949: Mickey Jin (@patch1t)
NetworkExtension
Available for: macOS Ventura
Impact: A user in a privileged network position may be able to spoof a VPN server that is configured with EAP-only authentication on a device
Description: The issue was addressed with improved authentication.
CVE-2023-28182: Zhuowei Zhang
PackageKit
Available for: macOS Ventura
Impact: An app may be able to modify protected parts of the file system
Description: A logic issue was addressed with improved checks.
CVE-2023-23538: Mickey Jin (@patch1t)
CVE-2023-27962: Mickey Jin (@patch1t)
Photos
Available for: macOS Ventura
Impact: Photos belonging to the Hidden Photos Album could be viewed without authentication through Visual Lookup
Description: A logic issue was addressed with improved restrictions.
CVE-2023-23523: developStorm
Podcasts
Available for: macOS Ventura
Impact: An app may be able to access user-sensitive data
Description: The issue was addressed with improved checks.
CVE-2023-27942: Mickey Jin (@patch1t)
Quick Look
Available for: macOS Ventura
Impact: A website may be able to track sensitive user information
Description: Error handling was changed to not reveal sensitive information.
CVE-2023-32362: Khiem Tran
Entry added September 5, 2023
Safari
Available for: macOS Ventura
Impact: An app may bypass Gatekeeper checks
Description: A race condition was addressed with improved locking.
CVE-2023-27952: Csaba Fitzl (@theevilbit) of Offensive Security
Sandbox
Available for: macOS Ventura
Impact: An app may be able to modify protected parts of the file system
Description: A logic issue was addressed with improved checks.
CVE-2023-23533: Mickey Jin (@patch1t), Koh M. Nakagawa of FFRI Security, Inc., and Csaba Fitzl (@theevilbit) of Offensive Security
Sandbox
Available for: macOS Ventura
Impact: An app may be able to bypass Privacy preferences
Description: A logic issue was addressed with improved validation.
CVE-2023-28178: Yiğit Can YILMAZ (@yilmazcanyigit)
SharedFileList
Available for: macOS Ventura
Impact: An app may be able to break out of its sandbox
Description: The issue was addressed with improved checks.
CVE-2023-27966: Masahiro Kawada (@kawakatz) of GMO Cybersecurity by Ierae
Entry added May 1, 2023, updated August 1, 2023
Shortcuts
Available for: macOS Ventura
Impact: A shortcut may be able to use sensitive data with certain actions without prompting the user
Description: The issue was addressed with additional permissions checks.
CVE-2023-27963: Jubaer Alnazi Jabin of TRS Group Of Companies, and Wenchao Li and Xiaolong Bai of Alibaba Group
System Settings
Available for: macOS Ventura
Impact: An app may be able to access user-sensitive data
Description: A privacy issue was addressed with improved private data redaction for log entries.
CVE-2023-23542: Adam M.
Entry updated September 5, 2023
System Settings
Available for: macOS Ventura
Impact: An app may be able to read sensitive location information
Description: A permissions issue was addressed with improved validation.
CVE-2023-28192: Guilherme Rambo of Best Buddy Apps (rambo.codes)
TCC
Available for: macOS Ventura
Impact: An app may be able to access user-sensitive data
Description: This issue was addressed by removing the vulnerable code.
CVE-2023-27931: Mickey Jin (@patch1t)
TextKit
Available for: macOS Ventura
Impact: A remote user may be able to cause a denial-of-service
Description: A denial-of-service issue was addressed with improved input validation.
CVE-2023-28188: Xin Huang (@11iaxH)
Entry added September 5, 2023
Vim
Available for: macOS Ventura
Impact: Multiple issues in Vim
Description: Multiple issues were addressed by updating to Vim version 9.0.1191.
CVE-2023-0049
CVE-2023-0051
CVE-2023-0054
CVE-2023-0288
CVE-2023-0433
CVE-2023-0512
WebKit
Available for: macOS Ventura
Impact: Content Security Policy to block domains with wildcards may fail
Description: A logic issue was addressed with improved validation.
WebKit Bugzilla: 250709
CVE-2023-32370: Gertjan Franken of imec-DistriNet, KU Leuven
Entry added September 5, 2023
WebKit
Available for: macOS Ventura
Impact: Processing web content may lead to arbitrary code execution
Description: A use-after-free issue was addressed with improved memory management.
WebKit Bugzilla: 250429
CVE-2023-28198: hazbinhotel working with Trend Micro Zero Day Initiative
Entry added August 1, 2023
WebKit
Available for: macOS Ventura
Impact: Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.
Description: A memory corruption issue was addressed with improved state management.
WebKit Bugzilla: 251890
CVE-2023-32435: Georgy Kucherin (@kucher1n), Leonid Bezvershenko (@bzvr_), Boris Larin (@oct0xor), and Valentin Pashkov of Kaspersky
Entry added June 21, 2023, updated August 1, 2023
WebKit
Available for: macOS Ventura
Impact: Processing maliciously crafted web content may bypass Same Origin Policy
Description: This issue was addressed with improved state management.
CVE-2023-27932: an anonymous researcher
WebKit
Available for: macOS Ventura
Impact: A website may be able to track sensitive user information
Description: The issue was addressed by removing origin information.
CVE-2023-27954: an anonymous researcher
WebKit
Available for: macOS Ventura
Impact: Processing a file may lead to a denial-of-service or potentially disclose memory contents
Description: The issue was addressed with improved checks.
WebKit Bugzilla: 249434
CVE-2014-1745: an anonymous researcher
Entry added December 21, 2023
WebKit PDF
Available for: macOS Ventura
Impact: Processing web content may lead to arbitrary code execution
Description: A type confusion issue was addressed with improved checks.
WebKit Bugzilla: 249169
CVE-2023-32358: Anonymous working with Trend Micro Zero Day Initiative
Entry added August 1, 2023
WebKit Web Inspector
Available for: macOS Ventura
Impact: A remote attacker may be able to cause unexpected app termination or arbitrary code execution
Description: This issue was addressed with improved state management.
CVE-2023-28201: Dohyun Lee (@l33d0hyun) and crixer (@pwning_me) of SSD Labs
Entry added May 1, 2023
XPC
Available for: macOS Ventura
Impact: An app may be able to break out of its sandbox
Description: This issue was addressed with a new entitlement.
CVE-2023-27944: Mickey Jin (@patch1t)
Additional recognition
Activation Lock
We would like to acknowledge Christian Mina for their assistance.
AppleMobileFileIntegrity
We would like to acknowledge Wojciech Reguła (@_r3ggi) of SecuRing for their assistance.
Entry added December 21, 2023
AppleScript
We would like to acknowledge Mickey Jin (@patch1t) for their assistance.
Calendar UI
We would like to acknowledge Rafi Andhika Galuh (@rafipiun) for their assistance.
Entry added August 1, 2023
CFNetwork
We would like to acknowledge an anonymous researcher for their assistance.
Control Center
We would like to acknowledge Adam M. for their assistance.
Entry updated December 21, 2023
CoreServices
We would like to acknowledge Mickey Jin (@patch1t) for their assistance.
dcerpc
We would like to acknowledge Aleksandar Nikolic of Cisco Talos for their assistance.
FaceTime
We would like to acknowledge Sajan Karki for their assistance.
file_cmds
We would like to acknowledge Lukas Zronek for their assistance.
File Quarantine
We would like to acknowledge Koh M. Nakagawa of FFRI Security, Inc. for their assistance.
Entry added May 1, 2023
Git
We would like to acknowledge for their assistance.
Heimdal
We would like to acknowledge Evgeny Legerov of Intevydis for their assistance.
ImageIO
We would like to acknowledge Meysam Firouzi @R00tkitSMM for their assistance.
We would like to acknowledge Chen Zhang, Fabian Ising of FH Münster University of Applied Sciences, Damian Poddebniak of FH Münster University of Applied Sciences, Tobias Kappert of Münster University of Applied Sciences, Christoph Saatjohann of Münster University of Applied Sciences, Sebast, and Merlin Chlosta of CISPA Helmholtz Center for Information Security for their assistance.
NSOpenPanel
We would like to acknowledge Alexandre Colucci (@timacfr) for their assistance.
Password Manager
We would like to acknowledge OCA Creations LLC, Sebastian S. Andersen for their assistance.
Entry added May 1, 2023
quarantine
We would like to acknowledge Koh M. Nakagawa of FFRI Security, Inc. for their assistance.
Safari Downloads
We would like to acknowledge Andrew Gonzalez for their assistance.
WebKit
We would like to acknowledge an anonymous researcher for their assistance.
WebKit Web Inspector
We would like to acknowledge Dohyun Lee (@l33d0hyun) and crixer (@pwning_me) of SSD Labs for their assistance.
Wi-Fi
We would like to acknowledge an anonymous researcher for their assistance.