About the security content of tvOS 17.2

This document describes the security content of tvOS 17.2.

About Apple security updates

For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security releases page.

Apple security documents reference vulnerabilities by CVE-ID when possible.

For more information about security, see the Apple Product Security page.

tvOS 17.2

Released December 11, 2023

AVEVideoEncoder

Available for: Apple TV HD and Apple TV 4K (all models)

Impact: An app may be able to disclose kernel memory

Description: This issue was addressed with improved redaction of sensitive information.

CVE-2023-42884: an anonymous researcher

ImageIO

Available for: Apple TV HD and Apple TV 4K (all models)

Impact: Processing an image may lead to arbitrary code execution

Description: The issue was addressed with improved memory handling.

CVE-2023-42898: Zhenjiang Zhao of Pangu Team, Qianxin and Junsung Lee

CVE-2023-42899: Meysam Firouzi @R00tkitSMM and Junsung Lee

Entry updated March 22, 2024

Kernel

Available for: Apple TV HD and Apple TV 4K (all models)

Impact: An app may be able to break out of its sandbox

Description: The issue was addressed with improved memory handling.

CVE-2023-42914: Eloi Benoist-Vanderbeken (@elvanderb) of Synacktiv (@Synacktiv)

Libsystem

Available for: Apple TV HD and Apple TV 4K (all models)

Impact: An app may be able to access protected user data

Description: A permissions issue was addressed by removing vulnerable code and adding additional checks.

CVE-2023-42893

Entry added March 22, 2024

Sandbox

Available for: Apple TV HD and Apple TV 4K (all models)

Impact: An app may be able to access user-sensitive data

Description: This issue was addressed with improved redaction of sensitive information.

CVE-2023-42936

Entry added March 22, 2024

TCC

Available for: Apple TV HD and Apple TV 4K (all models)

Impact: An app may be able to break out of its sandbox

Description: A path handling issue was addressed with improved validation.

CVE-2023-42947: Zhongquan Li (@Guluisacat) of Dawn Security Lab of JingDong

Entry added March 22, 2024

WebKit

Available for: Apple TV HD and Apple TV 4K (all models)

Impact: Processing web content may lead to arbitrary code execution

Description: The issue was addressed with improved memory handling.

WebKit Bugzilla: 259830
CVE-2023-42890: Pwn2car

WebKit

Available for: Apple TV HD and Apple TV 4K (all models)

Impact: Processing an image may lead to a denial-of-service

Description: The issue was addressed with improved memory handling.

WebKit Bugzilla: 263349
CVE-2023-42883: Zoom Offensive Security Team

WebKit

Available for: Apple TV HD and Apple TV 4K (all models)

Impact: Processing web content may disclose sensitive information. Apple is aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1.

Description: An out-of-bounds read was addressed with improved input validation.

WebKit Bugzilla: 265041
CVE-2023-42916: Clément Lecigne of Google's Threat Analysis Group

WebKit

Available for: Apple TV HD and Apple TV 4K (all models)

Impact: Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1.

Description: A memory corruption vulnerability was addressed with improved locking.

WebKit Bugzilla: 265067
CVE-2023-42917: Clément Lecigne of Google's Threat Analysis Group

WebKit

Available for: Apple TV HD and Apple TV 4K (all models)

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A use after free issue was addressed with improved memory management.

WebKit Bugzilla: 263682
CVE-2023-42950: Nan Wang (@eternalsakura13) of 360 Vulnerability Research Institute and rushikesh nandedkar

Entry added March 22, 2024

 

Additional recognition

WebSheet

We would like to acknowledge Paolo Ruggero of e-phors S.p.A. (A FINCANTIERI S.p.A. Company) for their assistance.

Entry added March 22, 2024

Wi-Fi

We would like to acknowledge Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab) for their assistance.

 

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.

Published Date: