CVE-2023-41061

What is Apple Wallet?

Apple Wallet (formerly Passbook) is the iOS/iPadOS/watchOS app for storing and managing passes: boarding passes, event tickets, loyalty cards, coupons, and payment cards. Passes use the PassKit format (.pkpass files), which are ZIP archives containing JSON, images, and a manifest. iMessage can receive and automatically process PassKit attachments to display previews, making Wallet a potential attack surface when image processing libraries are involved. The combination of automatic processing and system-level access to card/payment data makes Wallet a high-value target.

Overview

CVE-2023-41061 is a validation vulnerability in Apple's Wallet component that leads to code execution when processing a maliciously crafted attachment. It functions as the second stage of the BLASTPASS zero-click attack chain alongside CVE-2023-41064 (ImageIO buffer overflow). Both vulnerabilities were exploited by NSO Group's Pegasus spyware infrastructure and discovered by Citizen Lab on September 6, 2023. Apple patched them within 24 hours via emergency releases of iOS 16.6.1, iPadOS 16.6.1, and watchOS 9.6.2.

Affected Versions

Technical Details

Apple describes CVE-2023-41061 as "a validation issue" in Wallet that allows "a maliciously crafted attachment may result in arbitrary code execution." In the BLASTPASS exploit chain:

1. CVE-2023-41064 (ImageIO): The attacker sends an iMessage containing a malicious .pkpass PassKit attachment. ImageIO processes image data within the pass automatically to render a preview, triggering a buffer overflow and achieving initial code execution.
2. CVE-2023-41061 (Wallet): The Wallet component, which handles PassKit parsing, contains a separate validation flaw that is leveraged to continue the chain — either to achieve execution in a different process context, to escalate privileges, or to bypass sandboxing constraints.

The two vulnerabilities work together: CVE-2023-41064 provides the initial execution primitive, and CVE-2023-41061 extends that into a more powerful capability. The full chain operates entirely without user interaction — receiving the iMessage is the only trigger.

Discovery

Bill Marczak of The Citizen Lab discovered the BLASTPASS chain being used against a targeted individual. Citizen Lab's analysis identified both CVE-2023-41064 and CVE-2023-41061 as components of the exploit and reported them to Apple on September 6, 2023.

Exploitation Context

The BLASTPASS chain (CVE-2023-41064 + CVE-2023-41061) was used by NSO Group's Pegasus platform — commercial spyware sold to government customers — to achieve zero-click compromise of fully patched iPhones. The PassKit delivery mechanism was novel at the time: by embedding the exploit in a wallet pass attachment, the attacker could trigger image parsing and wallet validation code through iMessage's automatic preview rendering, with no user action required.

Apple's response — patches within 24 hours of the report — represents one of the fastest turnarounds for a zero-click critical vulnerability in its history. CISA added both CVEs to the KEV catalog four days later.

Remediation

1. Update to iOS 16.6.1 or iPadOS 16.6.1 (or later) immediately.
2. Update watchOS to 9.6.2 or later for Apple Watch devices.
3. Enable Lockdown Mode on devices belonging to high-risk individuals — it restricts how iMessage handles certain attachment types, directly reducing the attack surface for BLASTPASS-style delivery.
4. Do not delay iOS updates — Apple's emergency patches for zero-click chains are the primary defense; any delay leaves devices vulnerable.
5. Use Mobile Verification Toolkit (MVT) if Pegasus compromise is suspected — it can detect indicators of Pegasus infection in device backups or forensic images.