CVE-2023-38606

What is the Apple XNU Kernel?

XNU (X is Not Unix) is the hybrid kernel at the core of Apple's operating systems — iOS, iPadOS, macOS, watchOS, and tvOS. The XNU kernel manages hardware resources, process isolation, memory protection, and system call interfaces. Apple Silicon (M1/M2) and Apple A-series chips have hardware memory protection mechanisms designed to prevent unauthorized modification of kernel memory and protected regions. Vulnerabilities that allow user-space code to influence or bypass these hardware-level protections — particularly through undocumented hardware interfaces — represent a qualitatively new class of iOS kernel exploitation that is exceptionally difficult to discover and patch.

Overview

CVE-2023-38606 is an improper access control vulnerability (CWE-284) in the Apple XNU kernel that allows a malicious application to modify a sensitive kernel state — specifically by accessing undocumented hardware memory-mapped I/O (MMIO) registers in Apple Silicon chips that can bypass page protection mechanisms designed to protect kernel memory. Apple patched it in iOS 16.6 and macOS Ventura 13.5 (released July 24, 2023) as an actively exploited zero-day. The kevAdded date (July 26) is one day before the formal NVD datePublished (July 27) — CISA added it based on Apple's security advisory before NVD's publishing pipeline completed.

CVE-2023-38606 was identified as a component of the Operation Triangulation exploit chain targeting Apple devices. Kaspersky GReAT researchers analyzing TriangleDB spyware samples discovered that the chain leveraged previously undocumented hardware features in Apple Silicon to achieve kernel memory manipulation that bypassed standard iOS security protections.

Affected Versions

Technical Details

CVE-2023-38606 is a highly unusual kernel vulnerability because it exploits undocumented hardware functionality rather than a software implementation error in the traditional sense. Kaspersky's analysis of Operation Triangulation revealed that the exploit chain leveraged MMIO (memory-mapped I/O) registers in Apple's GPU/DMA hardware subsystems that are not documented in any public Apple security documentation or developer SDKs.

The exploit technique:

1. Identify undocumented MMIO registers — Kaspersky discovered that certain hardware registers in Apple Silicon allow writing to physical memory pages in a way that bypasses the PPL (Page Protection Layer) — Apple's hardware-enforced kernel memory protection
2. Exploit the hardware register access — user-space code (running within the exploit chain's context) writes to these MMIO registers through a DMA request, causing hardware-level memory writes to protected kernel regions
3. Bypass kernel protection — the PPL (which normally prevents unauthorized modification of kernel page tables and code) does not intercept these hardware-originated writes, allowing the attacker to modify kernel data structures and gain full kernel code execution

This class of hardware-level exploitation — abusing undocumented chip features — is exceptionally rare and suggests extremely advanced exploit development capabilities. Apple's patch for CVE-2023-38606 adds bounds checking and access restrictions to the previously exploitable hardware register paths.

Discovery

CVE-2023-38606 was discovered and documented by Kaspersky GReAT (Global Research and Analysis Team) researchers — primarily Boris Larin, Leonid Bezvershenko, and Georgy Kucherin — during their analysis of the Operation Triangulation iOS spyware campaign. Kaspersky presented their findings at the 37th Chaos Communication Congress (37C3) in December 2023, revealing the hardware exploitation technique as one of the most sophisticated iOS kernel attacks ever publicly documented.

The kevAdded: "2023-07-26" date preceding datePublished: "2023-07-27" reflects CISA tracking Apple's July 24 security advisory before NVD published the CVE record.

Exploitation Context

CVE-2023-38606 was one component of the Operation Triangulation zero-click exploit chain that targeted iPhones belonging to Kaspersky employees and others, attributed to a highly sophisticated threat actor. The full Operation Triangulation chain included:

• CVE-2023-32434 (XNU integer overflow → kernel memory read/write): an earlier kernel LPE component
• CVE-2023-32435 (WebKit memory corruption): the initial browser-based code execution stage
• CVE-2023-41990 (font processing RCE): alternative initial access vector
• CVE-2023-38606: the hardware MMIO bypass for PPL circumvention

The hardware-level exploitation in CVE-2023-38606 represented capabilities that required intimate knowledge of undocumented Apple Silicon hardware — suggesting either access to Apple internal hardware documentation, extensive hardware reverse engineering, or both.

Remediation

1. Update to iOS/iPadOS 16.6 — apply via Settings → General → Software Update.
2. Update macOS to Ventura 13.5, Monterey 12.6.8, or Big Sur 11.7.9 — apply via Software Update.
3. Enable automatic updates — Apple delivers zero-day patches through automatic updates; timely application minimizes exposure.
4. Enable Lockdown Mode for individuals at elevated risk (journalists, activists, corporate executives, government officials, security researchers) — Lockdown Mode restricts multiple attack surfaces used in sophisticated zero-click chains.
5. Reboot devices regularly — some in-memory iOS implants do not survive device reboots; regular reboots limit implant persistence window, though sophisticated variants may persist across reboots.