What is Apple iOS/iPadOS?
Apple iOS and iPadOS power iPhones and iPads used by hundreds of millions of individuals, business professionals, and government employees worldwide. iOS kernel vulnerabilities are among the most consequential in the security industry: a kernel privilege escalation achieved by a malicious app on an iPhone allows complete compromise of the device — access to encrypted communications, location data, contacts, and photos, plus the ability to install persistent monitoring tools. Commercial spyware vendors (NSO Group, Intellexa, Paragon, and others) have repeatedly exploited iOS use-after-free and type-confusion vulnerabilities to build full-device implants targeting journalists, diplomats, dissidents, and government officials.
Overview
CVE-2023-41974 is a use-after-free vulnerability in Apple iOS and iPadOS that allows a malicious application to execute arbitrary code with kernel privileges. Apple patched it in iOS 17 and iPadOS 17 (released September 18, 2023). The formal CVE was published in January 2024. CISA added it to the Known Exploited Vulnerabilities catalog in March 2026 — approximately 2.5 years after the iOS 17 patch — confirming that the vulnerability was under active exploitation, most likely in targeted spyware campaigns against high-value individuals.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| iOS | Prior to iOS 17 | iOS 17 |
| iPadOS | Prior to iPadOS 17 | iPadOS 17 |
Users still running iOS 16.x or earlier are vulnerable. Apple provides iOS 17 for iPhone XS and later, iPad Pro (2nd generation and later), iPad Air (3rd generation and later), iPad (6th generation and later), and iPad mini (5th generation and later).
Technical Details
CWE-416 (Use After Free). A use-after-free vulnerability occurs when a program continues to use a pointer to memory that has already been freed (deallocated). In iOS kernel code, a use-after-free can allow an attacker to place attacker-controlled data in the freed memory location and then trigger the kernel to use the dangling pointer — executing the attacker-controlled data as code or data within the kernel context.
The local attack vector (AV:L) indicates the vulnerability requires the attacker to have a malicious application running on the device — either installed through the App Store (via a malicious app that bypasses Apple review) or delivered via a browser exploit chain that installs a malicious app, or via social engineering. The UserInteraction: Required reflects that some user action (opening a file, visiting a page) is required to trigger the malicious application's exploit code.
Kernel code execution on iOS enables full device compromise: bypassing the device's sandbox restrictions, accessing the file system and keychain, and installing persistent monitoring tools that survive reboots.
Discovery
The vulnerability was identified and reported to Apple by security researchers. Apple patched it in the iOS 17 release (September 2023). The 2.5-year gap between patch and CISA KEV addition is consistent with the pattern of commercial spyware vendors developing and using iOS exploits in targeted campaigns long after patches are available — since their targets (high-value individuals such as journalists, dissidents, and government officials) may run older iOS versions or receive delayed updates through enterprise management systems.
Exploitation Context
The March 2026 CISA KEV addition with confirmed active exploitation suggests ongoing use by sophisticated threat actors — consistent with commercial mobile spyware operations that develop exploit chains targeting specific iOS versions and device configurations. Commercial spyware vendors maintain zero-day and N-day iOS exploits as a core product capability, deploying them in targeted operations against specific individuals rather than in mass campaigns.
Federal government employees and contractors using iPhones with iOS versions prior to iOS 17 are at risk.
Remediation
- Update all iPhones and iPads to iOS 17 or later immediately (current: iOS 18.x) — this patches CVE-2023-41974 along with all subsequent vulnerabilities fixed in iOS 17 and 18 releases.
- Enable automatic updates on all managed iOS devices to ensure timely patching of future vulnerabilities.
- For enterprise deployments: use Apple Business Manager and MDM (Mobile Device Management) to enforce minimum iOS version requirements and automate update deployment.
- Be aware that iOS 16 and earlier are no longer receiving security updates for this class of vulnerability on devices that support iOS 17.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2023-41974 |
| Vendor / Product | Apple — iOS and iPadOS |
| NVD Published | 2024-01-10 |
| NVD Last Modified | 2026-03-12 |
| CVSS 3.1 Score | 7.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| Severity | HIGH |
| CWE | CWE-416 find similar ↗ |
| CISA KEV Added | 2026-03-05 |
| CISA KEV Deadline | 2026-03-26 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2023-09-18 | Apple releases iOS 17 and iPadOS 17 patching CVE-2023-41974 among other vulnerabilities |
| 2024-01-10 | CVE-2023-41974 formally published |
| 2026-03-05 | CISA adds to Known Exploited Vulnerabilities catalog — active exploitation confirmed, approximately 2.5 years after the patch |
| 2026-03-26 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Apple Security Content — iOS 17 and iPadOS 17 | Vendor Advisory |
| NVD — CVE-2023-41974 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |