CVE-2023-23529

What is Apple WebKit?

WebKit is Apple's open-source browser rendering engine, used in Safari and — by Apple's platform policy — in every browser on iOS and iPadOS. It processes HTML, CSS, and JavaScript content; type confusion vulnerabilities in WebKit arise when the JavaScript engine makes incorrect type assumptions, allowing crafted script to manipulate memory in ways that enable code execution. WebKit zero-days are among the most strategically valuable exploits in the mobile spyware market because they provide the initial code execution foothold on iOS devices without requiring physical access or user interaction beyond visiting a URL.

Overview

CVE-2023-23529 is a type confusion vulnerability (CWE-843) in WebKit that allows a remote attacker to achieve code execution when a user visits a malicious web page. Apple patched it on February 13, 2023 in emergency out-of-band updates (iOS 16.3.1, macOS Ventura 13.2.1, Safari 16.3.1). The CISA KEV addition on February 14, 2023 preceded the formal NVD CVE publication by 13 days — reflecting that CISA tracked the vulnerability through Apple's emergency disclosure rather than waiting for NVD assignment. Apple's advisory credited an anonymous researcher and confirmed active exploitation in the wild.

Affected Versions

Note: iOS 15.x, older macOS versions, and other Apple platforms may have received separate fixes — consult Apple's HEV portals for the full list of affected versions and corresponding patches.

Technical Details

Type confusion (CWE-843) in WebKit occurs when the JavaScript engine's JIT compiler optimizes code paths based on observed object types, then executes the optimized code against an object of a different type. A crafted JavaScript sequence can manipulate the engine's type inference, causing it to:

1. Generate optimized machine code that assumes one object layout (e.g., reads a field at a specific byte offset)
2. Execute that code against an object with a different layout (e.g., a different class with unrelated data at that offset)

The resulting out-of-bounds memory access allows the attacker to:

• Read memory addresses from adjacent heap objects (defeating ASLR)
• Write controlled data to adjacent heap regions (corrupting control-flow data)
• Achieve arbitrary code execution within the WebKit renderer sandbox

Code execution within the WebKit sandbox does not grant full device access — a separate kernel privilege escalation is typically required to fully compromise the device, as seen in the April 2023 chain (CVE-2023-28205 + CVE-2023-28206).

Discovery

Apple credited an anonymous researcher with discovering CVE-2023-23529. The emergency out-of-band patch (rather than waiting for the regular security update cycle) and Apple's explicit "actively exploited" language confirm this was a zero-day in use before Apple discovered and fixed it. Anonymous reporter attribution is common for commercially sensitive vulnerability disclosures — including those involving commercial surveillance vendors.

Exploitation Context

WebKit type confusion zero-days are consistently observed in commercial mobile spyware delivery chains. The February 2023 timing — shortly after CVE-2023-2033 began a year of active V8 zero-day exploitation — reflects the ongoing maintenance of browser exploit capabilities by multiple actors in the commercial surveillance ecosystem. The emergency patch cadence (Apple's fourth emergency out-of-band security update since 2022 for a WebKit zero-day at that point) demonstrates how rapidly these exploits are deployed after Apple patches one and attackers develop new ones.

The kevAdded date (February 14) preceding datePublished (February 27) is the result of CISA's real-time tracking of Apple emergency advisories and their direct addition to the KEV catalog before NVD's CVE publishing pipeline completes — illustrating how critical known-exploited zero-days are tracked and communicated to federal agencies.

Remediation

1. Update to iOS/iPadOS 16.3.1 — apply via Settings → General → Software Update.
2. Update macOS Ventura to 13.2.1 — apply via System Settings → General → Software Update.
3. Update Safari to 16.3.1 — applied via macOS Software Update.
4. Enable automatic updates — Apple emergency patches are delivered via automatic updates, minimizing the window between fix availability and deployment.
5. Consider Lockdown Mode for individuals at elevated risk of targeted spyware delivery (journalists, activists, lawyers, political figures) — Lockdown Mode restricts WebKit processing features frequently exploited by commercial surveillance chains.