About Apple security updates
For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security releases page.
Apple security documents reference vulnerabilities by CVE-ID when possible.
For more information about security, see the Apple Product Security page.
macOS Sonoma 14
Released September 26, 2023
Airport
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: An app may be able to read sensitive location information
Description: A permissions issue was addressed with improved redaction of sensitive information.
CVE-2023-40384: Adam M.
AMD
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: An app may be able to execute arbitrary code with kernel privileges
Description: A buffer overflow issue was addressed with improved memory handling.
CVE-2023-32377: ABC Research s.r.o.
AMD
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: An app may be able to execute arbitrary code with kernel privileges
Description: The issue was addressed with improved memory handling.
CVE-2023-38615: ABC Research s.r.o.
AppSandbox
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: An app may be able to access protected user data
Description: The issue was addressed with improved checks.
CVE-2023-42929: Mickey Jin (@patch1t)
Entry added December 22, 2023
App Store
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: A remote attacker may be able to break out of Web Content sandbox
Description: The issue was addressed with improved handling of protocols.
CVE-2023-40448: w0wbox
AppleMobileFileIntegrity
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: An app may be able to access sensitive user data
Description: The issue was addressed with additional permissions checks.
CVE-2023-42872: Mickey Jin (@patch1t)
Entry added December 22, 2023
Apple Neural Engine
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: An app may be able to execute arbitrary code with kernel privileges
Description: The issue was addressed with improved memory handling.
CVE-2023-40432: Mohamed GHANNAM (@_simo36)
CVE-2023-42871: Mohamed GHANNAM (@_simo36)
Entry updated December 22, 2023
Apple Neural Engine
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: An app may be able to disclose kernel memory
Description: The issue was addressed with improved memory handling.
CVE-2023-40399: Mohamed GHANNAM (@_simo36)
Apple Neural Engine
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: An app may be able to disclose kernel memory
Description: An out-of-bounds read was addressed with improved input validation.
CVE-2023-40410: Tim Michaud (@TimGMichaud) of Moveworks.ai
Ask to Buy
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: An app may be able to access protected user data
Description: The issue was addressed with improved checks.
CVE-2023-38612: Chris Ross (Zoom)
Entry added December 22, 2023
AuthKit
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: An app may be able to access user-sensitive data
Description: The issue was addressed with improved handling of caches.
CVE-2023-32361: Csaba Fitzl (@theevilbit) of Offensive Security
Bluetooth
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: An attacker in physical proximity can cause a limited out of bounds write
Description: The issue was addressed with improved checks.
CVE-2023-35984: zer0k
Bluetooth
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: An app may be able to access sensitive user data
Description: A permissions issue was addressed with additional restrictions.
CVE-2023-40402: Yiğit Can YILMAZ (@yilmazcanyigit)
Bluetooth
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: An app may be able to bypass certain Privacy preferences
Description: A permissions issue was addressed with additional restrictions.
CVE-2023-40426: Yiğit Can YILMAZ (@yilmazcanyigit)
BOM
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: Processing a file may lead to a denial-of-service or potentially disclose memory contents
Description: The issue was addressed with improved bounds checks.
CVE-2023-42876: Koh M. Nakagawa (@tsunek0h)
Entry added December 22, 2023
bootp
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: An app may be able to read sensitive location information
Description: A privacy issue was addressed with improved private data redaction for log entries.
CVE-2023-41065: Adam M., and Noah Roskin-Frazee and Professor Jason Lau (ZeroClicks.ai Lab)
Calendar
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: An app may be able to access calendar data saved to a temporary directory
Description: A privacy issue was addressed with improved handling of temporary files.
CVE-2023-29497: Kirin (@Pwnrin) and Yishu Wang
CFNetwork
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: An app may fail to enforce App Transport Security
Description: The issue was addressed with improved handling of protocols.
CVE-2023-38596: Will Brattain at Trail of Bits
ColorSync
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: An app may be able to read arbitrary files
Description: The issue was addressed with improved checks.
CVE-2023-40406: JeongOhKyea of Theori
CoreAnimation
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: Processing web content may lead to a denial-of-service
Description: The issue was addressed with improved memory handling.
CVE-2023-40420: 이준성(Junsung Lee) of Cross Republic
Core Data
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: An app may be able to bypass Privacy preferences
Description: This issue was addressed by removing the vulnerable code.
CVE-2023-40528: Kirin (@Pwnrin) of NorthSea
Entry added January 22, 2024
Core Image
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: An app may be able to access edited photos saved to a temporary directory
Description: An issue was addressed with improved handling of temporary files.
CVE-2023-40438: Wojciech Regula of SecuRing (wojciechregula.blog)
Entry added December 22, 2023
CoreMedia
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: A camera extension may be able to access the camera view from apps other than the app for which it was granted permission
Description: A logic issue was addressed with improved checks
CVE-2023-41994: Halle Winkler, Politepix @hallewinkler
Entry added December 22, 2023
CUPS
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: A remote attacker may be able to cause a denial-of-service
Description: The issue was addressed with improved bounds checks.
CVE-2023-40407: Sei K.
Dev Tools
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: An app may be able to gain elevated privileges
Description: This issue was addressed with improved checks.
CVE-2023-32396: Mickey Jin (@patch1t)
CVE-2023-42933: Mickey Jin (@patch1t)
Entry updated December 22, 2023
FileProvider
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: An app may be able to bypass Privacy preferences
Description: A permissions issue was addressed with additional restrictions.
CVE-2023-41980: Noah Roskin-Frazee and Professor Jason Lau (ZeroClicks.ai Lab)
FileProvider
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: An app may be able to access user-sensitive data
Description: This issue was addressed with improved data protection.
CVE-2023-40411: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab), and Csaba Fitzl (@theevilbit) of Offensive Security
Entry added December 22, 2023
Game Center
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: An app may be able to access contacts
Description: The issue was addressed with improved handling of caches.
CVE-2023-40395: Csaba Fitzl (@theevilbit) of Offensive Security
GPU Drivers
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: An app may be able to disclose kernel memory
Description: The issue was addressed with improved memory handling.
CVE-2023-40391: Antonio Zekic (@antoniozekic) of Dataflow Security
GPU Drivers
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: Processing web content may lead to a denial-of-service
Description: A resource exhaustion issue was addressed with improved input validation.
CVE-2023-40441: Ron Masas of Imperva
iCloud
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: An app may be able to access sensitive user data
Description: A permissions issue was addressed with improved redaction of sensitive information.
CVE-2023-23495: Csaba Fitzl (@theevilbit) of Offensive Security
iCloud Photo Library
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: An app may be able to access a user's Photos Library
Description: A configuration issue was addressed with additional restrictions.
CVE-2023-40434: Mikko Kenttälä (@Turmio_ ) of SensorFu
Image Capture
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: A sandboxed process may be able to circumvent sandbox restrictions
Description: An access issue was addressed with additional sandbox restrictions.
CVE-2023-38586: Yiğit Can YILMAZ (@yilmazcanyigit)
IOAcceleratorFamily
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: An attacker may be able to cause unexpected system termination or read kernel memory
Description: The issue was addressed with improved bounds checks.
CVE-2023-40436: Murray Mike
Kernel
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: An app may be able to execute arbitrary code with kernel privileges
Description: A use-after-free issue was addressed with improved memory management.
CVE-2023-41995: Certik Skyfall Team, and pattern-f (@pattern_F_) of Ant Security Light-Year Lab
CVE-2023-42870: Zweig of Kunlun Lab
Entry updated December 22, 2023
Kernel
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: An attacker that has already achieved kernel code execution may be able to bypass kernel memory mitigations
Description: The issue was addressed with improved memory handling.
CVE-2023-41981: Linus Henze of Pinauten GmbH (pinauten.de)
Kernel
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: An app may be able to execute arbitrary code with kernel privileges
Description: The issue was addressed with improved memory handling.
CVE-2023-41984: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte. Ltd.
Kernel
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: An app may be able to access sensitive user data
Description: A permissions issue was addressed with improved validation.
CVE-2023-40429: Michael (Biscuit) Thomas and 张师傅(@京东蓝军)
Kernel
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: A remote user may be able to cause kernel code execution
Description: A type confusion issue was addressed with improved checks.
CVE-2023-41060: Joseph Ravichandran (@0xjprx) of MIT CSAIL
Entry added December 22, 2023
LaunchServices
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: An app may bypass Gatekeeper checks
Description: A logic issue was addressed with improved checks.
CVE-2023-41067: Ferdous Saljooki (@malwarezoo) of Jamf Software and an anonymous researcher
libpcap
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: A remote user may cause an unexpected app termination or arbitrary code execution
Description: This issue was addressed with improved checks.
CVE-2023-40400: Sei K.
libxpc
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: An app may be able to delete files for which it does not have permission
Description: A permissions issue was addressed with additional restrictions.
CVE-2023-40454: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab (xlab.tencent.com)
libxpc
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: An app may be able to access protected user data
Description: An authorization issue was addressed with improved state management.
CVE-2023-41073: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab (xlab.tencent.com)
libxslt
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: Processing web content may disclose sensitive information
Description: The issue was addressed with improved memory handling.
CVE-2023-40403: Dohyun Lee (@l33d0hyun) of PK Security
Maps
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: An app may be able to read sensitive location information
Description: The issue was addressed with improved handling of caches.
CVE-2023-40427: Adam M., and Wojciech Regula of SecuRing (wojciechregula.blog)
Messages
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: An app may be able to observe unprotected user data
Description: A privacy issue was addressed with improved handling of temporary files.
CVE-2023-32421: Meng Zhang (鲸落) of NorthSea, Ron Masas of BreakPoint Security Research, Brian McNulty, and Kishan Bagaria of Texts.com
Model I/O
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: Processing a file may lead to arbitrary code execution
Description: The issue was addressed with improved checks.
CVE-2023-42826: Michael DePlante (@izobashi) of Trend Micro Zero Day Initiative
Entry added October 19, 2023
Music
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: An app may be able to modify protected parts of the file system
Description: The issue was addressed with improved checks.
CVE-2023-41986: Gergely Kalman (@gergely_kalman)
NetFSFramework
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: A sandboxed process may be able to circumvent sandbox restrictions
Description: A permissions issue was addressed with additional restrictions.
CVE-2023-40455: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab (xlab.tencent.com)
Notes
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: An app may be able to access Notes attachments
Description: A privacy issue was addressed with improved handling of temporary files.
CVE-2023-40386: Kirin (@Pwnrin)
OpenSSH
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: A vulnerability was discovered in OpenSSHs remote forwarding
Description: This issue was addressed by updating OpenSSH to 9.3p2
CVE-2023-38408: baba yaga, an anonymous researcher
Entry added December 22, 2023
Passkeys
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: An attacker may be able to access passkeys without authentication
Description: The issue was addressed with additional permissions checks.
CVE-2023-40401: weize she and an anonymous researcher
Entry added December 22, 2023
Photos
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: Photos in the Hidden Photos Album may be viewed without authentication
Description: An authentication issue was addressed with improved state management.
CVE-2023-40393: an anonymous researcher, Berke Kırbaş, and Harsh Jaiswal
Entry added December 22, 2023
Photos Storage
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: An app with root privileges may be able to access private information
Description: An information disclosure issue was addressed by removing the vulnerable code.
CVE-2023-42934: Wojciech Regula of SecuRing (wojciechregula.blog)
Entry added December 22, 2023
Power Management
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: A user may be able to view restricted content from the lock screen
Description: A lock screen issue was addressed with improved state management.
CVE-2023-37448: Serkan Erayabakan, David Kotval, Akincibor, Sina Ahmadi of George Mason University, and Billy Tabrizi
Entry updated December 22, 2023
Printing
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: An app may be able to modify Printer settings
Description: The issue was addressed with improved handling of caches.
CVE-2023-38607: Yiğit Can YILMAZ (@yilmazcanyigit)
Entry added December 22, 2023
Printing
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: An app may be able to access sensitive user data
Description: This issue was addressed with improved checks.
CVE-2023-41987: Kirin (@Pwnrin), and Wojciech Regula of SecuRing (wojciechregula.blog)
Entry added December 22, 2023
Pro Res
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: An app may be able to execute arbitrary code with kernel privileges
Description: The issue was addressed with improved memory handling.
CVE-2023-41063: Certik Skyfall Team
QuartzCore
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: An app may be able to cause a denial-of-service
Description: The issue was addressed with improved memory handling.
CVE-2023-40422: Tomi Tokics (@tomitokics) of iTomsn0w
Safari
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: Processing web content may disclose sensitive information
Description: The issue was addressed with improved checks.
CVE-2023-39233: Luan Herrera (@lbherrera_)
Safari
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: Safari may save photos to an unprotected location
Description: A privacy issue was addressed with improved handling of temporary files.
CVE-2023-40388: Kirin (@Pwnrin)
Safari
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: An app may be able to identify what other apps a user has installed
Description: The issue was addressed with improved checks.
CVE-2023-35990: Adriatik Raci of Sentry Cybersecurity
Safari
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: Visiting a website that frames malicious content may lead to UI spoofing
Description: A window management issue was addressed with improved state management.
CVE-2023-40417: Narendra Bhati (twitter.com/imnarendrabhati) of Suma Soft Pvt. Ltd, Pune (India)
Entry updated December 22, 2023
Sandbox
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: An app may be able to overwrite arbitrary files
Description: The issue was addressed with improved bounds checks.
CVE-2023-40452: Yiğit Can YILMAZ (@yilmazcanyigit)
Sandbox
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: An app may be able to access removable volumes without user consent
Description: A logic issue was addressed with improved checks.
CVE-2023-40430: Yiğit Can YILMAZ (@yilmazcanyigit)
Entry added December 22, 2023
Sandbox
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: Apps that fail verification checks may still launch
Description: The issue was addressed with improved checks.
CVE-2023-41996: Mickey Jin (@patch1t) and Yiğit Can YILMAZ (@yilmazcanyigit)
Entry added December 22, 2023
Screen Sharing
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: An app may be able to bypass certain Privacy preferences
Description: An authorization issue was addressed with improved state management.
CVE-2023-41078: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab (xlab.tencent.com)
Share Sheet
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: An app may be able to access sensitive data logged when a user shares a link
Description: A logic issue was addressed with improved checks.
CVE-2023-41070: Kirin (@Pwnrin)
Shortcuts
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: A shortcut may output sensitive user data without consent
Description: This issue was addressed by adding an additional prompt for user consent.
CVE-2023-40541: Noah Roskin-Frazee (ZeroClicks.ai Lab) and James Duffy (mangoSecure)
Shortcuts
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: An app may be able to bypass Privacy preferences
Description: The issue was addressed with improved permissions logic.
CVE-2023-41079: Ron Masas of BreakPoint.sh and an anonymous researcher
Spotlight
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: An app may be able to gain root privileges
Description: The issue was addressed with improved checks.
CVE-2023-40443: Gergely Kalman (@gergely_kalman)
Entry added December 22, 2023
StorageKit
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: An app may be able to read arbitrary files
Description: This issue was addressed with improved validation of symlinks.
CVE-2023-41968: Mickey Jin (@patch1t) and James Hutchins
System Preferences
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: An app may bypass Gatekeeper checks
Description: The issue was addressed with improved checks.
CVE-2023-40450: Thijs Alkemade (@xnyhps) from Computest Sector 7
TCC
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: An app may be able to access user-sensitive data
Description: The issue was addressed with improved checks.
CVE-2023-40424: Arsenii Kostromin (0x3c3e), Joshua Jewett (@JoshJewett33), and Csaba Fitzl (@theevilbit) of Offensive Security
WebKit
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: Processing web content may lead to arbitrary code execution
Description: A use-after-free issue was addressed with improved memory management.
WebKit Bugzilla: 249451
CVE-2023-39434: Francisco Alonso (@revskills), and Dohyun Lee (@l33d0hyun) of PK Security
WebKit Bugzilla: 258992
CVE-2023-40414: Francisco Alonso (@revskills)
Entry updated December 22, 2023
WebKit
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: Processing web content may lead to arbitrary code execution
Description: The issue was addressed with improved checks.
WebKit Bugzilla: 256551
CVE-2023-41074: 이준성(Junsung Lee) of Cross Republic and Jie Ding(@Lime) from HKUS3 Lab
Entry updated December 22, 2023
WebKit
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: Processing web content may lead to arbitrary code execution
Description: The issue was addressed with improved memory handling.
WebKit Bugzilla: 239758
CVE-2023-35074: Ajou University Abysslab Dong Jun Kim(@smlijun) and Jong Seong Kim(@nevul37)
Entry updated December 22, 2023
WebKit
Available for: Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7.
Description: The issue was addressed with improved checks.
WebKit Bugzilla: 261544
CVE-2023-41993: Bill Marczak of The Citizen Lab at The University of Toronto's Munk School and Maddie Stone of Google's Threat Analysis Group
WebKit
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: A user's password may be read aloud by VoiceOver
Description: This issue was addressed with improved redaction of sensitive information.
WebKit Bugzilla: 248717
CVE-2023-32359: Claire Houston
Entry added December 22, 2023
WebKit
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: A remote attacker may be able to view leaked DNS queries with Private Relay turned on
Description: This issue was addressed by removing the vulnerable code.
WebKit Bugzilla: 257303
CVE-2023-40385: Anonymous
Entry added December 22, 2023
WebKit
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: Processing web content may lead to arbitrary code execution
Description: A correctness issue was addressed with improved checks.
WebKit Bugzilla: 258592
CVE-2023-42833: Dong Jun Kim (@smlijun), and Jong Seong Kim (@nevul37) of AbyssLab
Entry added December 22, 2023
Wi-Fi
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: An app may be able to cause unexpected system termination or write kernel memory
Description: A memory corruption issue was addressed by removing the vulnerable code.
CVE-2023-38610: Wang Yu of Cyberserval
Entry added December 22, 2023
Windows Server
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: An app may be able to unexpectedly leak a user's credentials from secure text fields
Description: An authentication issue was addressed with improved state management.
CVE-2023-41066: An anonymous researcher, Jeremy Legendre of MacEnhance, and Felix Kratz
Entry updated December 22, 2023
XProtectFramework
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017)
Impact: An app may be able to modify protected parts of the file system
Description: A race condition was addressed with improved locking.
CVE-2023-41979: Koh M. Nakagawa (@tsunek0h)
Additional recognition
Airport
We would like to acknowledge Adam M., Noah Roskin-Frazee and Professor Jason Lau (ZeroClicks.ai Lab) for their assistance.
AppKit
We would like to acknowledge an anonymous researcher for their assistance.
Apple Neural Engine
We would like to acknowledge pattern-f (@pattern_F_) of Ant Security Light-Year Lab for their assistance.
Entry added December 22, 2023
AppSandbox
We would like to acknowledge Kirin (@Pwnrin) for their assistance.
Archive Utility
We would like to acknowledge Mickey Jin (@patch1t) for their assistance.
Audio
We would like to acknowledge Mickey Jin (@patch1t) for their assistance.
Bluetooth
We would like to acknowledge Jianjun Dai and Guang Gong of 360 Vulnerability Research Institute for their assistance.
Books
We would like to acknowledge Aapo Oksman of Nixu Cybersecurity for their assistance.
Entry added December 22, 2023
Control Center
We would like to acknowledge Yiğit Can YILMAZ (@yilmazcanyigit) for their assistance.
Entry added December 22, 2023
Core Location
We would like to acknowledge Wouter Hennen for their assistance.
CoreMedia Playback
We would like to acknowledge Mickey Jin (@patch1t) for their assistance.
CoreServices
We would like to acknowledge Thijs Alkemade of Computest Sector 7, Wojciech Reguła (@_r3ggi) of SecuRing, and an anonymous researcher for their assistance.
Entry added December 22, 2023
Data Detectors UI
We would like to acknowledge Abhay Kailasia (@abhay_kailasia) of Lakshmi Narain College Of Technology Bhopal for their assistance.
Find My
We would like to acknowledge Cher Scarlett for their assistance.
Home
We would like to acknowledge Jake Derouin (jakederouin.com) for their assistance.
IOGraphics
We would like to acknowledge an anonymous researcher for their assistance.
IOUserEthernet
We would like to acknowledge Certik Skyfall Team for their assistance.
Entry added December 22, 2023
Kernel
We would like to acknowledge Bill Marczak of The Citizen Lab at The University of Toronto's Munk School and Maddie Stone of Google's Threat Analysis Group, Xinru Chi of Pangu Lab, 永超 王 for their assistance.
libxml2
We would like to acknowledge OSS-Fuzz, Ned Williamson of Google Project Zero for their assistance.
libxpc
We would like to acknowledge an anonymous researcher for their assistance.
libxslt
We would like to acknowledge Dohyun Lee (@l33d0hyun) of PK Security, OSS-Fuzz, Ned Williamson of Google Project Zero for their assistance.
We would like to acknowledge Taavi Eomäe from Zone Media OÜ for their assistance.
Entry added December 22, 2023
Menus
We would like to acknowledge Matthew Denton of Google Chrome Security for their assistance.
Entry added December 22, 2023
Model I/O
We would like to acknowledge Mickey Jin (@patch1t) for their assistance.
NSURL
We would like to acknowledge Zhanpeng Zhao (行之), 糖豆爸爸(@晴天组织) for their assistance.
PackageKit
We would like to acknowledge Csaba Fitzl (@theevilbit) of Offensive Security, an anonymous researcher for their assistance.
Photos
We would like to acknowledge Anatolii Kozlov, Dawid Pałuska, Kirin (@Pwnrin), Lyndon Cornelius, Paul Lurin for their assistance.
Power Services
We would like to acknowledge Mickey Jin (@patch1t) for their assistance.
Entry added December 22, 2023
Reminders
We would like to acknowledge Paweł Szafirowski for their assistance.
Safari
We would like to acknowledge Kang Ali of Punggawa Cyber Security for their assistance.
Sandbox
We would like to acknowledge Yiğit Can YILMAZ (@yilmazcanyigit) for their assistance.
SharedFileList
We would like to acknowledge Christopher Lopez - @L0Psec and Kandji, Leo Pitt of Zoom Video Communications, Masahiro Kawada (@kawakatz) of GMO Cybersecurity by Ierae, and Ross Bingham (@PwnDexter) for their assistance.
Entry updated December 22, 2023
Shortcuts
We would like to acknowledge Alfie CG, Christian Basting of Bundesamt für Sicherheit in der Informationstechnik, Cristian Dinca of "Tudor Vianu" National High School of Computer Science, Romania, Giorgos Christodoulidis, Jubaer Alnazi of TRS Group Of Companies, KRISHAN KANT DWIVEDI (@xenonx7), and Matthew Butler for their assistance.
Entry updated April 24, 2024
Software Update
We would like to acknowledge Omar Siman for their assistance.
Spotlight
We would like to acknowledge Abhay Kailasia (@abhay_kailasia) of Lakshmi Narain College Of Technology Bhopal, Dawid Pałuska for their assistance.
StorageKit
We would like to acknowledge Mickey Jin (@patch1t) for their assistance.
Video Apps
We would like to acknowledge James Duffy (mangoSecure) for their assistance.
WebKit
We would like to acknowledge Khiem Tran, Narendra Bhati From Suma Soft Pvt. Ltd, Pune (India), and an anonymous researcher for their assistance.
WebRTC
We would like to acknowledge anonymous researcher for their assistance.
Wi-Fi
We would like to acknowledge Adam M., and Wang Yu of Cyberserval for their assistance.
Entry updated December 22, 2023