CVE-2023-41992

What is the Apple XNU Kernel?

The XNU kernel powers iOS, iPadOS, macOS, watchOS, and tvOS. It enforces memory isolation between processes and between user space and kernel space. A kernel privilege escalation vulnerability allows code already running on the device to break out of all sandbox restrictions and achieve full control of the operating system — enabling persistent spyware implantation, data exfiltration, and the disabling of security features. Kernel exploits are the most valuable and sensitive class of mobile vulnerability.

Overview

CVE-2023-41992 is a kernel privilege escalation vulnerability affecting iOS, iPadOS, macOS, and watchOS. It is one of three zero-days (along with CVE-2023-41991 and CVE-2023-41993) that form the BLASTPASS exploit chain — a fully zero-click iMessage attack attributed to NSO Group's Pegasus spyware. Citizen Lab discovered the exploit in early September 2023 on a device belonging to a Washington DC-based civil society organization employee, and notified Apple. Apple shipped patches on September 21, 2023, for all affected platforms.

Affected Versions

Technical Details

Apple describes CVE-2023-41992 as allowing "a local attacker to elevate their privileges" and characterizes the root cause as improper handling of exceptional conditions (CWE-754) in the kernel. In the context of the BLASTPASS chain, this is the privilege escalation component:

1. CVE-2023-41993 (WebKit) — the attacker delivers malicious PassKit/image attachment content via iMessage. WebKit processes it with zero user interaction, achieving renderer process code execution.
2. CVE-2023-41991 (Security framework) — used to bypass certificate validation checks.
3. CVE-2023-41992 (XNU Kernel) — escalates from the code execution achieved in the sandboxed WebKit context to full kernel (ring 0) privileges, enabling Pegasus to be installed persistently.

The zero-click delivery via iMessage PassKit attachments (image files that trigger WebKit parsing) is particularly alarming — the victim receives a message and the device is compromised without any interaction.

Discovery

Bill Marczak of The Citizen Lab (University of Toronto) and Maddie Stone of Google's Project Zero discovered and analyzed the BLASTPASS chain. Citizen Lab captured the exploit on September 7, 2023, from a device that had not been interacted with by the victim.

Exploitation Context

The BLASTPASS chain was deployed by NSO Group's Pegasus spyware infrastructure against an individual associated with a civil society organization in Washington, DC. Pegasus is a commercial surveillance tool sold by the Israeli firm NSO Group to government customers and has been consistently linked to targeting of journalists, lawyers, human rights defenders, and political opposition figures globally.

The September 2023 patches were emergency releases — Apple shipped them across all active OS branches simultaneously, reflecting the severity of an active zero-click attack. Citizen Lab recommended activating Lockdown Mode on devices belonging to at-risk individuals.

Remediation

1. Update all Apple devices immediately: iOS 17.0.1, iOS 16.7, iPadOS 17.0.1, iPadOS 16.7, macOS Ventura 13.6, macOS Monterey 12.7, watchOS 9.6.3 or 10.0.1.
2. Enable Lockdown Mode (Settings → Privacy & Security → Lockdown Mode) for individuals at elevated risk of targeted spyware attacks — it restricts iMessage functionality and significantly raises the cost of zero-click exploits.
3. Keep all Apple devices on the latest OS version — Apple's rapid response to zero-click exploit chains requires staying current.
4. For enterprise and government: mandate timely iOS updates via MDM; devices more than one minor version behind should be flagged as non-compliant.
5. If targeted attack is suspected: contact Citizen Lab's Access Now Digital Security Helpline or a qualified digital forensics provider — Pegasus infections are detectable using the Mobile Verification Toolkit (MVT).