What is Apple WebKit?
WebKit is Apple's open-source browser engine, used in Safari, iOS WebView, and every third-party browser on iOS and iPadOS (Apple's platform policy requires all browsers on iOS to use WebKit). WebKit processes HTML, CSS, and JavaScript content for every web page loaded in Safari or any iOS app that renders web content. Because WebKit executes untrusted content from the internet on behalf of users, vulnerabilities that allow code execution when processing malicious web content are among the most critical attack surfaces on Apple devices — WebKit exploits are the standard first-stage delivery mechanism for mobile spyware on Apple platforms.
Overview
CVE-2023-28205 is a use-after-free vulnerability (CWE-416) in WebKit that allows a remote attacker to achieve code execution in the WebKit renderer process when a user visits a malicious web page. Apple patched it in an emergency April 7, 2023 out-of-band update alongside CVE-2023-28206 (IOSurfaceAccelerator kernel privilege escalation). Together the two CVEs form a complete device compromise chain: WebKit exploitation establishes renderer-level code execution, while the kernel vulnerability escalates to full device control. Both CVEs were added to the CISA KEV catalog on April 10, 2023. Apple credited Clément Lecigne of Google's Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International Security Lab with discovery.
Affected Versions
| Product | Affected | Fixed |
|---|---|---|
| iOS and iPadOS | Prior to 16.4.1 | 16.4.1 |
| iOS and iPadOS (older devices) | Prior to 15.7.5 | 15.7.5 |
| macOS Ventura | Prior to 13.3.1 | 13.3.1 |
| Safari | Prior to 16.4.1 | 16.4.1 |
Technical Details
A use-after-free (CWE-416) occurs when code continues to use a memory object after it has been freed, allowing an attacker to control the memory that gets allocated in the freed slot and thereby influence program behavior. In WebKit, use-after-free bugs arise in the complex JavaScript and DOM processing code where object lifetimes are managed by a garbage collector. A crafted JavaScript sequence can trigger the free of a DOM or JavaScript object while another reference to it remains in use, causing WebKit to access attacker-controlled memory.
Exploiting a WebKit UAF in the renderer process achieves code execution within the WebKit sandbox — which has significant restrictions on direct system access. For full device compromise, a kernel privilege escalation is required as the second stage. CVE-2023-28206 (IOSurfaceAccelerator out-of-bounds write) was the kernel escalation paired with this WebKit initial access.
Discovery
Clément Lecigne of Google's Threat Analysis Group (TAG) and Donncha Ó Cearbhaill of Amnesty International Security Lab jointly reported CVE-2023-28205. The pairing of TAG (which monitors nation-state offensive operations) and Amnesty International (which tracks commercial surveillance against civil society) strongly indicates this vulnerability was observed in targeted spyware delivery against high-risk individuals — journalists, human rights defenders, or political dissidents — before Apple discovered and patched it.
Exploitation Context
WebKit zero-days are the primary first-stage delivery mechanism for mobile spyware on iOS. The April 2023 chain (CVE-2023-28205 + CVE-2023-28206) follows the established pattern of commercial surveillance vendors — NSO Group (Pegasus), Intellexa (Predator), Candiru, and others — maintaining up-to-date WebKit exploit chains to deliver spyware via malicious web pages, including zero-click scenarios using certain iMessage preview features. The simultaneous discovery by Google TAG and Amnesty International confirms the vulnerability was actively exploited before Apple patched it. Apple's advisory language, "Apple is aware of a report that this issue may have been actively exploited," is their standard confirmation of in-the-wild exploitation.
Remediation
- Update to iOS/iPadOS 16.4.1 or 15.7.5 — apply via Settings → General → Software Update.
- Update macOS Ventura to 13.3.1 — apply via System Settings → General → Software Update.
- Update Safari to 16.4.1 — on macOS, Safari updates through Software Update independently of the OS version.
- Enable automatic updates on iOS, iPadOS, and macOS to receive future emergency patches promptly — Apple issues out-of-band emergency patches for actively exploited zero-days and automatic updates deliver these quickly.
- Consider Lockdown Mode on iOS/iPadOS for individuals at high risk of targeted spyware attacks — Lockdown Mode restricts many WebKit features and web content processing paths that spyware chains exploit.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2023-28205 |
| Vendor / Product | Apple — Multiple Products |
| NVD Published | 2023-04-10 |
| NVD Last Modified | 2025-10-23 |
| CVSS 3.1 Score | 8.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| Severity | HIGH |
| CWE | CWE-416 find similar ↗ |
| CISA KEV Added | 2023-04-10 |
| CISA KEV Deadline | 2023-05-01 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2023-04-07 | Apple issues emergency out-of-band security updates: iOS 16.4.1, iPadOS 16.4.1, macOS Ventura 13.3.1, and Safari 16.4.1 — patching CVE-2023-28205 and CVE-2023-28206 |
| 2023-04-10 | CVE-2023-28205 and CVE-2023-28206 published; both added to CISA KEV catalog on same day |
| 2023-05-01 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Apple Security Update — iOS 16.4.1 and iPadOS 16.4.1 | Vendor Advisory |
| Apple Security Update — macOS Ventura 13.3.1 | Vendor Advisory |
| NVD — CVE-2023-28205 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |