CVE-2023-42916

What is Apple WebKit?

WebKit is Apple's open-source browser rendering engine powering Safari and — by Apple platform policy — every browser on iOS and iPadOS. It processes HTML, CSS, JavaScript, and web media content, making it the mandatory entry point for all web browsing on Apple mobile platforms. Out-of-bounds read (CWE-125) vulnerabilities in WebKit occur when the JavaScript engine or DOM parser reads memory beyond the end of an allocated buffer while processing maliciously crafted web content. Unlike memory corruption vulnerabilities, an out-of-bounds read primarily leaks heap memory contents to the attacker — disclosing pointer values and heap layout that can be used to defeat ASLR (Address Space Layout Randomization) and enable a subsequent code execution stage. In commercial exploit chains, information leak primitives are paired with memory corruption vulnerabilities to form complete, reliable exploits.

Overview

CVE-2023-42916 is an out-of-bounds read vulnerability (CWE-125) in WebKit that allows a remote attacker to leak sensitive memory contents when a user visits a malicious web page. Apple patched it in emergency out-of-band security updates on November 30, 2023 (iOS 17.1.2, macOS Sonoma 14.1.2, Safari 17.1.2) as part of a two-vulnerability chain alongside CVE-2023-42917 (a WebKit memory corruption vulnerability enabling code execution). CVE-2023-42916 provides the memory disclosure stage of the chain — defeating ASLR — while CVE-2023-42917 provides the code execution stage. Both were discovered by Clément Lecigne of Google's Threat Analysis Group (TAG).

CISA added CVE-2023-42916 to the KEV catalog four days after the emergency patch, consistent with Apple's pattern of emergency out-of-band releases for actively exploited zero-day chains.

Affected Versions

Note: Apple may have released separate patches for older iOS/macOS versions — consult Apple's security updates page for the complete list.

Technical Details

Out-of-bounds reads (CWE-125) in WebKit occur when the JavaScript JIT compiler or DOM engine reads past the end of an allocated heap buffer during processing of crafted web content. The read leaks adjacent heap memory to JavaScript-accessible values, allowing an attacker to:

1. Construct a crafted web page — deliver JavaScript that triggers the out-of-bounds read in a specific WebKit code path
2. Observe the leaked data — JavaScript can observe the leaked memory values returned by the vulnerable read operation
3. Identify heap pointers — leaked adjacent heap data typically contains pointers to other objects; by correlating these pointers with known object layouts, the attacker can infer the absolute addresses of WebKit heap objects, defeating ASLR
4. Chain with CVE-2023-42917 — armed with concrete heap addresses, the memory corruption in CVE-2023-42917 can be precisely targeted for reliable code execution

The C:H/I:N/A:N CVSS score reflects that CVE-2023-42916 alone achieves information disclosure rather than code execution — but in the context of the chained exploit, it is the enabling stage that makes CVE-2023-42917 reliably exploitable.

Discovery

Clément Lecigne of Google's Threat Analysis Group (TAG) discovered and reported both CVE-2023-42916 and CVE-2023-42917 to Apple. TAG's involvement and Apple's emergency out-of-band patch cadence (rather than waiting for a regular security update cycle) indicate these vulnerabilities were observed in active exploitation by a commercial surveillance vendor or advanced threat actor targeting high-value individuals.

Exploitation Context

WebKit zero-day chains discovered by Google TAG are consistently associated with commercial mobile spyware delivery. The November 2023 chain (CVE-2023-42916 + CVE-2023-42917) follows the same pattern as Apple's earlier 2023 emergency WebKit patches (February: CVE-2023-23529; April: CVE-2023-28205 + CVE-2023-28206; September: BLASTPASS chain). The C:H confidentiality impact of the OOB read, combined with a separate code execution primitive, is the standard architecture for sophisticated browser exploit chains that target iOS devices without requiring any user interaction beyond visiting a URL.

Remediation

1. Update to iOS/iPadOS 17.1.2 — apply via Settings → General → Software Update.
2. Update macOS Sonoma to 14.1.2 — apply via System Settings → General → Software Update.
3. Update Safari to 17.1.2 — applied automatically via macOS Software Update.
4. Enable automatic updates — Apple delivers emergency zero-day patches through automatic updates; enabling this minimizes exposure window.
5. Consider Lockdown Mode for individuals at elevated risk of targeted spyware attacks (journalists, activists, human rights workers, political figures) — Lockdown Mode restricts WebKit processing features used in commercial surveillance exploit chains.