CVE-2023-32435

What is Apple WebKit?

WebKit is Apple's browser engine, used by Safari and all iOS/iPadOS browsers. It processes HTML and executes JavaScript for web page rendering. Memory corruption vulnerabilities in WebKit — where crafted content causes the rendering engine to write beyond allocated buffers — allow attackers to achieve code execution within the WebKit renderer process by directing corrupted memory to overwrite function pointers or other control-flow-relevant data.

Overview

CVE-2023-32435 is a memory corruption vulnerability in WebKit that leads to code execution when processing maliciously crafted web content. It is part of the Operation Triangulation iOS exploit chain discovered by Kaspersky — one of the most sophisticated mobile spyware campaigns ever documented. The vulnerability was patched in Apple's May 18, 2023 updates (iOS 16.5, macOS Ventura 13.4). CISA added it to the KEV catalog on June 23, 2023, following Kaspersky's public campaign disclosure.

Affected Versions

Technical Details

The vulnerability is an out-of-bounds write (CWE-787) in WebKit's JavaScript rendering code. When parsing or executing maliciously crafted JavaScript or HTML, a write operation exceeds the bounds of an allocated buffer. By carefully crafting the content to control what is written beyond the buffer, an attacker can corrupt adjacent heap structures and redirect code execution to attacker-controlled shellcode within the WebKit Web Content process.

Within the Operation Triangulation chain, CVE-2023-32435 functioned as a WebKit-level code execution primitive — one stage of the multi-exploit chain that achieved full iOS device compromise via:

• iMessage delivery (zero-click): malicious attachment triggers WebKit/font processing
• CVE-2023-32435: WebKit memory corruption for initial code execution
• CVE-2023-32434: Kernel integer overflow for privilege escalation to ring 0
• Implant persistence: Triangulation spyware installed with full device access

The Operation Triangulation chain also used CVE-2023-41990 (font parser) and exploited an undocumented Apple GPU hardware feature, making it one of the deepest iOS exploit chains ever reverse-engineered and publicly documented.

Discovery

Kaspersky researchers discovered CVE-2023-32435 as part of Operation Triangulation analysis. The campaign was initially detected through anomalous network behavior on iOS devices at Kaspersky. Apple credited an anonymous reporter in its security advisory.

Exploitation Context

Operation Triangulation targeted Kaspersky employees' iPhones using a zero-click iMessage attack chain from at least 2019 through 2023. The spyware implant (the Triangulation platform) provided comprehensive surveillance capabilities: microphone recording, location tracking, photo access, and data exfiltration. Russia's FSB claimed the campaign was US intelligence operations; the true attribution remains disputed. The sophistication of the chain — zero-click delivery, multiple chained zero-days, undocumented hardware exploitation — ranks it among the most advanced mobile attack platforms ever analyzed.

Remediation

1. Update to iOS 16.5 / iPadOS 16.5, macOS Ventura 13.4, Safari 16.5, iOS 15.7.6 / iPadOS 15.7.6 — or any later version.
2. Enable Lockdown Mode on devices belonging to security researchers, government officials, and others at elevated state-actor targeting risk.
3. Enable Rapid Security Responses to receive targeted Apple security patches between major OS releases.
4. Apply updates across all Apple platforms — the Triangulation chain targeted iOS, but the WebKit vulnerability affects macOS and other platforms as well.
5. Consider Mobile Verification Toolkit (MVT) for forensic analysis if Triangulation-style compromise is suspected.