CVE-2023-28204

What is Apple WebKit?

WebKit is Apple's open-source browser rendering engine powering Safari and all iOS/iPadOS browsers. Out-of-bounds read (CWE-125) vulnerabilities in WebKit occur when the JavaScript engine or HTML parser reads heap memory beyond the end of an allocated buffer while processing maliciously crafted web content. The read leaks adjacent heap memory contents — including object pointers and heap metadata — to JavaScript-observable values. This memory disclosure stage defeats ASLR (Address Space Layout Randomization), enabling a subsequent memory corruption exploit to be precisely targeted for reliable code execution. The combination of an OOB read (information leak) with a memory corruption primitive (code execution) is the standard architecture for browser exploit chains.

Overview

CVE-2023-28204 is an out-of-bounds read vulnerability (CWE-125) in Apple WebKit that can disclose sensitive heap memory contents when a user visits a maliciously crafted web page, enabling ASLR bypass. Apple patched it in May 2023 alongside CVE-2023-32409 (a WebKit sandbox escape), delivered via both Apple Rapid Security Response (RSR) updates and full OS updates. The kevAdded date (May 22, 2023) is 32 days before the datePublished (June 23, 2023) — reflecting CISA adding the vulnerability based on Apple's May advisory before NVD's CVE publishing pipeline completed, identical to the pattern seen with CVE-2023-23529.

CVE-2023-28204 was discovered by Clément Lecigne of Google's Threat Analysis Group (TAG) and Donncha Ó Cearbhaill of Amnesty International Security Lab.

Affected Versions

Technical Details

Out-of-bounds reads (CWE-125) in WebKit's JavaScript engine occur when crafted JavaScript sequences cause the JIT compiler or interpreter to read memory at an incorrect offset from a heap-allocated object. The exploit pattern:

1. Craft a web page with targeted JavaScript — construct JavaScript that exercises the vulnerable code path in a way that reads beyond the end of an allocated buffer
2. Observe leaked memory via JavaScript — the out-of-bounds read makes adjacent heap data available to JavaScript code (e.g., as integer values from typed arrays or comparison results)
3. Identify heap pointers — the leaked data contains pointer values from adjacent WebKit heap objects; correlating these with known heap structure layouts reveals the absolute addresses of key objects, defeating ASLR
4. Chain with CVE-2023-32409 (sandbox escape) — armed with precise heap addresses, exploit the companion WebKit sandbox bypass to escape the browser renderer sandbox

The C:H/I:N/A:N CVSS score reflects information disclosure only — CVE-2023-28204 alone does not achieve code execution, but enables the code execution stage by providing the memory layout knowledge necessary for reliable exploitation.

Discovery

Clément Lecigne (Google TAG) and Donncha Ó Cearbhaill (Amnesty International Security Lab) co-discovered CVE-2023-28204 and CVE-2023-32409, reporting them to Apple as part of analysis of an active exploit chain. The Amnesty International co-attribution is significant — it suggests the exploit chain was observed targeting activists, journalists, or human rights defenders whose devices were forensically analyzed by Amnesty's Security Lab, which then identified and responsibly disclosed the vulnerabilities.

Apple's use of the Rapid Security Response delivery mechanism for these patches reflects the urgency of actively exploited WebKit zero-days.

Exploitation Context

CVE-2023-28204 forms the ASLR-defeat stage of the May 2023 two-vulnerability WebKit chain (CVE-2023-28204 + CVE-2023-32409). This chain represents Apple's continued battle against commercial surveillance vendors who maintain weaponized iOS exploit chains: the April 2023 chain (CVE-2023-28205 + CVE-2023-28206) was patched, and the May 2023 chain (CVE-2023-28204 + CVE-2023-32409) appears to be a replacement chain with new zero-days, likely from the same commercial surveillance vendor.

The Amnesty International involvement in discovery mirrors the pattern of Pegasus spyware chains — Amnesty's forensic analysis of targeted individuals' devices is a primary source for zero-day WebKit exploit chain discovery.

Remediation

1. Update to iOS/iPadOS 16.5 — apply via Settings → General → Software Update; also applies to iOS 15.7.6 for older devices.
2. Update macOS to Ventura 13.4, Monterey 12.6.6, or Big Sur 11.7.7 — apply via Software Update.
3. Enable automatic updates — Apple delivers zero-day patches through automatic updates; enabling this minimizes the exposure window.
4. Enable Lockdown Mode for at-risk individuals — Lockdown Mode restricts WebKit functionality used in commercial surveillance exploit chains, significantly raising the cost of exploitation.
5. Consider mobile threat defense — tools that detect behavioral anomalies on iOS devices (unusual process activity, unexpected network connections) can detect some exploit chain stages even before public attribution.