CVE-2023-32434

What is the Apple XNU Kernel?

The XNU kernel is the core of iOS, iPadOS, macOS, tvOS, and watchOS, responsible for memory management, hardware access, and enforcing process isolation. Kernel-level code execution gives an attacker complete, persistent control over the device — bypassing all sandboxes, app isolation, and security features. Integer overflow vulnerabilities in the kernel arise when arithmetic operations produce values outside expected bounds, leading to incorrect memory allocation sizes and exploitable heap or stack corruption.

Overview

CVE-2023-32434 is an integer overflow vulnerability in the Apple kernel that allows an application to execute code with kernel privileges. It is a component of Operation Triangulation — one of the most technically sophisticated iOS attack chains ever publicly analyzed — discovered by Kaspersky researchers. The vulnerability was patched in iOS 16.5.1 and macOS Ventura 13.4.1 on June 21, 2023, following Kaspersky's June 1, 2023 public disclosure of the campaign.

Affected Versions

Technical Details

The vulnerability is an integer overflow (CWE-190) in the XNU kernel. When calculating memory allocation sizes or buffer lengths using integer arithmetic, an overflow condition causes the computed value to wrap around to a small number — resulting in an allocation that is far smaller than the actual data being processed. The kernel then writes data beyond the allocated buffer, corrupting adjacent kernel memory.

In the Operation Triangulation exploit chain, CVE-2023-32434 served as the kernel privilege escalation stage:

1. Initial entry (CVE-2023-41990 / CVE-2023-32435): Zero-click iMessage delivery triggers code execution via font or WebKit parsing.
2. CVE-2023-32434 (kernel): The kernel integer overflow is triggered to corrupt memory and achieve code execution with kernel (ring 0) privileges.
3. Implant installation: The Triangulation spy platform is installed persistently with full device access.

The depth of the Kaspersky analysis (presented at 37C3) revealed that the complete chain also exploited an undocumented hardware feature in Apple Silicon and A-series chips — a memory-mapped register used by GPU firmware — suggesting the attacker had access to Apple's internal chip documentation or performed extraordinary hardware reverse engineering.

Discovery

Kaspersky researchers Boris Larin, Leonid Bezvershenko, Georgy Kucherin, and Valentin Pashkov discovered Operation Triangulation and CVE-2023-32434 while investigating anomalous network traffic from iOS devices used by Kaspersky employees. The campaign had been running since at least 2019.

Exploitation Context

Operation Triangulation is attributed to a sophisticated state-level threat actor (not publicly confirmed, but Russia's FSB alleged US intelligence involvement). Targets included Kaspersky employees and, according to Russia's Federal Security Service, Russian government officials and diplomats. The chain's use of an undocumented Apple chip hardware feature places it at the pinnacle of iOS offensive research — no publicly known prior exploit has leveraged this class of hardware-level capability.

CISA added CVE-2023-32434 to KEV on June 23, 2023, two days after Apple's patch.

Remediation

1. Update to iOS 16.5.1 / iPadOS 16.5.1, macOS Ventura 13.4.1, macOS Monterey 12.6.8, watchOS 9.5.2 or any later version.
2. Enable Lockdown Mode on devices used by government officials, security researchers, and others at elevated risk of state-sponsored targeting.
3. Monitor network traffic from iOS devices — Kaspersky initially detected Triangulation via anomalous device traffic; mobile threat defense (MTD) platforms can provide similar visibility.
4. Stay current with Apple updates — the Triangulation chain required four zero-days; Apple's patching of each component breaks the chain.
5. If compromise suspected: use Amnesty International's Mobile Verification Toolkit (MVT) for forensic analysis.