CVE-2023-32439

What is Apple WebKit?

WebKit is Apple's browser engine used by Safari across all Apple platforms and mandatory for iOS/iPadOS browsers. Type confusion vulnerabilities in WebKit arise when the JavaScript engine or DOM implementation incorrectly handles an object as a different type than its actual allocation — allowing attacker-controlled data to be interpreted as code pointers or other privileged structures. Type confusion in browser engines is among the most reliably exploitable classes of vulnerabilities for achieving initial code execution.

Overview

CVE-2023-32439 is a type confusion vulnerability in WebKit that leads to code execution when processing maliciously crafted web content. Apple patched it as an actively exploited zero-day on June 21, 2023 in emergency point releases across iOS 16.5.1, macOS Ventura 13.4.1, Safari 16.5.1, and iOS/iPadOS 15.7.7. CISA added it to the KEV catalog two days later. The June 2023 update also patched CVE-2023-32434 (kernel integer overflow, Operation Triangulation component), suggesting this was a period of intense iOS exploit activity.

Affected Versions

Technical Details

Type confusion (CWE-843) in WebKit occurs when the JavaScript engine or DOM processing code assigns or uses an object of one type where a different type is expected. By constructing a JavaScript sequence that triggers this incorrect type assignment — for example, causing a JavaScript array to be treated as a function object — an attacker can control what data is used as function pointers or method dispatch tables. This allows redirecting execution flow to attacker-controlled shellcode running in the WebKit Web Content process.

The June 21, 2023 emergency release addressed CVE-2023-32439 alongside CVE-2023-32434 (kernel integer overflow) — suggesting that these two bugs may have formed a new exploit chain separate from the May 2023 chain (CVE-2023-32373 + CVE-2023-32409), or that Apple discovered additional exploitation using the kernel bug together with this new WebKit entry point.

Discovery

Apple credited Clément Lecigne of Google's Threat Analysis Group (TAG). TAG's involvement consistently signals exploitation by commercial surveillance vendors or state-sponsored actors against high-value targets.

Exploitation Context

The back-to-back Apple emergency releases in May and June 2023 — each patching actively exploited WebKit zero-days — reflect the sustained commercial spyware industry pressure on Apple's security during this period. Multiple vendors (NSO Group, Intellexa/Predator, and others) were actively developing and deploying iOS exploit chains. Each time Apple patches one chain, operators pivot to alternative entry points.

CISA's same-day KEV addition reflects rapid detection of active exploitation.

Remediation

1. Update to iOS 16.5.1 / iPadOS 16.5.1, macOS Ventura 13.4.1, Safari 16.5.1, iOS/iPadOS 15.7.7 — or any later version.
2. Enable Lockdown Mode for high-risk individuals — it restricts JavaScript JIT compilation and other features commonly exploited in WebKit type confusion chains.
3. Enable Rapid Security Responses (Settings → General → Software Update → Automatic Updates → Security Responses & System Files) to receive targeted patches without waiting for full OS updates.
4. Keep Safari updated — macOS users who don't update the full OS can often apply Safari security updates independently via Software Update.