CVE-2023-41064

What is Apple ImageIO?

ImageIO is Apple's system framework for reading and writing image file formats including JPEG, PNG, TIFF, WebP, GIF, HEIC, and many others. It is used by virtually every Apple application that displays or processes images — Camera, Messages, Mail, Photos, Safari, and thousands of third-party apps. Critically, ImageIO processes images automatically when rendering previews, including in iMessage when an attachment is received. A buffer overflow in ImageIO that can be triggered by a crafted image file is exploitable via the automatic preview mechanism without the user tapping or opening the attachment.

Overview

CVE-2023-41064 is a buffer overflow in Apple's ImageIO framework that allows code execution when processing a maliciously crafted image. It is the initial exploitation stage of the BLASTPASS zero-click iMessage attack chain, attributed to NSO Group's Pegasus spyware and discovered by Citizen Lab. When a device receives an iMessage containing a malicious PassKit (wallet pass) image attachment, ImageIO processes the image automatically to generate a preview — triggering the buffer overflow with no user interaction required. Apple patched it on September 7, 2023 with emergency releases across all platforms.

Affected Versions

Technical Details

The vulnerability is a classic buffer overflow (CWE-120) in ImageIO's parsing code for a specific image format. When ImageIO processes a crafted image — in BLASTPASS, this was delivered as a .pkpass PassKit wallet attachment — the parsing logic fails to properly validate the size of data being written to a fixed-size buffer. The overflow writes attacker-controlled data beyond the buffer's bounds, corrupting adjacent memory.

In the BLASTPASS attack chain, CVE-2023-41064 serves as the entry point:

1. Attacker sends iMessage containing a malicious PassKit attachment.
2. iMessage automatically renders the attachment preview, triggering ImageIO parsing.
3. Buffer overflow fires (CVE-2023-41064), achieving code execution in the ImageIO/Messages context.
4. CVE-2023-41061 (Wallet validation issue) is used to continue the privilege escalation chain.
5. The Pegasus spyware payload is installed with full device access.

The "user interaction required" in the CVSS rating refers to receiving the iMessage — the user does not need to tap, open, or acknowledge anything. In practice, this is a zero-click exploit.

Discovery

Bill Marczak of The Citizen Lab at the University of Toronto discovered BLASTPASS on September 6, 2023, on a device belonging to an individual at risk of targeting by Pegasus. Citizen Lab reported the findings to Apple immediately; Apple shipped patches the following day — an unusually rapid response reflecting the severity.

Exploitation Context

The BLASTPASS chain (CVE-2023-41064 + CVE-2023-41061) was the most actively weaponized zero-click iOS exploit at the time of its discovery. Attributed to NSO Group, the chain required no user interaction and could compromise a fully updated iPhone. Citizen Lab had observed similar Pegasus delivery mechanisms previously, but BLASTPASS used a novel PassKit-based delivery technique.

Apple's Rapid Security Response mechanism — introduced with iOS 16.4 — was designed for exactly this scenario: deploying emergency patches for actively exploited zero-days without requiring a full OS update. The September 7, 2023 patches were among the fastest emergency responses Apple has issued for a zero-click exploit chain.

Remediation

1. Update to iOS 16.6.1, iPadOS 16.6.1, macOS Ventura 13.5.2 — or any later version.
2. Enable Lockdown Mode for individuals at elevated risk — it restricts iMessage PassKit attachment processing, directly mitigating the BLASTPASS delivery mechanism.
3. Stay on the latest iOS/iPadOS version — Apple's ability to rapidly patch zero-click chains depends on users applying updates; outdated devices remain vulnerable to subsequent chains.
4. For enterprise/MDM deployments: enforce iOS version compliance and auto-update enrollment; zero-click exploits are the primary threat vector for targeted device compromise.
5. If compromise is suspected: the Mobile Verification Toolkit (MVT) from Amnesty International can detect Pegasus artifacts on device backups or filesystem dumps.