CVE-2023-32373

What is Apple WebKit?

WebKit is Apple's browser rendering engine, powering Safari on all Apple platforms and mandatory for all browsers distributed on iOS and iPadOS. It processes HTML, CSS, JavaScript, and media content for display. A use-after-free vulnerability in WebKit — where the engine accesses freed memory while rendering web content — can be triggered by visiting a malicious web page, making it a prime target for exploit chain developers seeking initial code execution on Apple devices.

Overview

CVE-2023-32373 is a use-after-free vulnerability in WebKit that leads to code execution when processing maliciously crafted web content. Apple disclosed it as actively exploited in the wild and patched it in iOS 16.5, macOS Ventura 13.4, tvOS 16.5, watchOS 9.5, and Safari 16.5 on May 18, 2023. CISA added it to the KEV catalog four days later. The CVE ID was formally published by NVD in June 2023, but exploitation predated that publication — a common pattern for Apple zero-day disclosures where patches precede formal CVE publication.

Affected Versions

Technical Details

Use-after-free (CWE-416) in WebKit occurs when the rendering engine frees a JavaScript or DOM object but retains a reference to the freed memory location. When that reference is subsequently dereferenced — triggered by crafted JavaScript sequences that manipulate object lifetimes — attacker-controlled data that has been placed at the freed memory address is executed or used as function pointers. This allows arbitrary code execution within the WebKit renderer process.

In a browser context, the exploit fires within the sandboxed WebKit Web Content process. Full device compromise requires a separate sandbox escape or kernel privilege escalation vulnerability chained after this initial execution primitive.

The KEV addition occurring before the formal CVE publication date reflects Apple's practice of disclosing zero-days in security advisories before NVD processes the CVE record — CISA tracks the advisory disclosure date, not the NVD publication date.

Discovery

Apple credited an anonymous researcher. Active exploitation prior to patch reflects use by a threat actor who discovered the bug independently — consistent with the commercial surveillance industry's research pipeline.

Exploitation Context

The May 2023 Apple update cycle addressed multiple WebKit zero-days (CVE-2023-32373 alongside CVE-2023-32409, a sandbox escape) — a combination suggesting a two-stage exploit chain: WebKit code execution followed by sandbox escape. This pattern is characteristic of commercial spyware delivery chains targeting iOS and macOS devices. CISA's rapid KEV addition confirms exploitation against real targets.

Remediation

1. Update to iOS/iPadOS 16.5 or later, macOS Ventura 13.4, tvOS 16.5, watchOS 9.5.
2. Enable automatic updates on all Apple devices — Settings → General → Software Update → Automatic Updates.
3. Enable Rapid Security Responses — allows Apple to push targeted security fixes between major updates without waiting for full OS releases.
4. Enable Lockdown Mode for high-risk individuals — reduces WebKit's JavaScript JIT surface and other exploit primitives.