CVE-2023-42824

What is the iOS/iPadOS Kernel?

The XNU kernel is the core of Apple's iOS and iPadOS operating systems, responsible for memory management, process isolation, and hardware access. The kernel enforces the security boundaries between apps and the rest of the system. A kernel privilege escalation vulnerability allows an app that has achieved initial code execution (via a separate exploit) to break out of its sandbox and gain full control over the device — a necessary step for deploying persistent spyware or performing deep system modification.

Overview

CVE-2023-42824 is an unspecified local privilege escalation vulnerability in the iOS and iPadOS kernel. Apple disclosed and patched it on October 4, 2023, acknowledging that it had been actively exploited in the wild against older versions of iOS. It was addressed in iOS 16.7.2 and iPadOS 16.7.2, which targeted devices not supported by iOS 17. CISA added it to the KEV catalog the following day.

Affected Versions

The patch targeted devices running iOS/iPadOS 16 that could not upgrade to iOS 17 — including older iPhone and iPad models.

Technical Details

Apple did not publish full technical details for CVE-2023-42824, describing it only as a vulnerability that "an app may be able to elevate privileges." Based on the local privilege escalation profile (AV:L/AC:L/PR:L/UI:N), exploitation requires:

• The attacker has already achieved code execution at a low-privilege level on the device (typically via a separate browser, iMessage, or app vulnerability).
• The app uses the kernel vulnerability to escalate from app-level sandbox to kernel (ring 0) privileges, effectively controlling the entire device.

This is the standard two-stage pattern for iOS exploit chains used by commercial spyware vendors: a remote code execution vulnerability delivers the initial foothold, and a kernel privilege escalation vulnerability completes the full device compromise.

Discovery

Apple credited an anonymous researcher. The active exploitation in older iOS versions before patch release indicates the vulnerability was discovered and weaponized by threat actors before Apple was aware of it — consistent with the vulnerability lifecycle observed in commercial iOS exploit chains.

Exploitation Context

CVE-2023-42824 was confirmed exploited in the wild by Apple. The targeting of older iOS 16 devices (not upgraded to iOS 17) is consistent with spyware operators maintaining exploit chains for older, still-in-use device generations. Typically such kernel privilege escalation bugs form the second stage of sophisticated exploit chains used by commercial surveillance vendors or state-sponsored actors targeting journalists, dissidents, and government officials.

Remediation

1. Update to iOS 16.7.2 or iPadOS 16.7.2 immediately — or upgrade to iOS 17 if your device supports it.
2. Enable Lockdown Mode on iOS 16+ for individuals at elevated risk of targeted spyware attacks — it significantly reduces the attack surface for exploit chains.
3. Apply updates promptly for all Apple devices; Apple's security update cadence for actively exploited vulnerabilities is rapid, and delays leave devices exposed.
4. For enterprise environments, use MDM to enforce minimum OS version compliance and flag devices that have not applied recent updates.
5. Monitor for unexpected behavior — spyware implanted via kernel exploits is difficult to detect without specialized tools; if compromise is suspected, a full device wipe and restore from a clean backup is the most reliable remediation.