Skip to main content

Apple fixes 16 security flaws with iOS 16.6, two actively exploited

Apple has released iOS 16.6 today for everyone and while the update doesn’t come with new user-facing features, it has over a dozen important security fixes. And notably, two of the fixes are for actively exploited flaws.

After releasing iOS 16.6 along with iPadOS 16.6, tvOS 16.6, watchOS 9.6, and macOS 13.5 with “important bug fixes and security updates” this morning, Apple shared all the fine details on its security page.

16 security fixes and two for actively exploited flaws

The 16 patched flaws range from categories including kernel, Find My, WebKit, and Apple Neural Engine.

Apple says that two were likely actively exploited. A patch was first made available for the exploited WebKit flaw with Rapid Security Response iOS 16.5.1 (c). And the kernal flaw that was likely actively exploited may have been first fixed with iOS 15.7.1. However, Apple says these issues are also addressed with iOS 16.6.

Kernel

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to modify sensitive kernel state. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.1. 

Description: This issue was addressed with improved state management.

CVE-2023-38606: Valentin Pashkov, Mikhail Vinogradov, Georgy Kucherin (@kucher1n), Leonid Bezvershenko (@bzvr_), and Boris Larin (@oct0xor) of Kaspersky

WebKit

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Description: The issue was addressed with improved checks.

WebKit Bugzilla: 259231
CVE-2023-37450: an anonymous researcher

This issue was first addressed in Rapid Security Response iOS 16.5.1 (c) and iPadOS 16.5.1 (c).

Here are the full security details for the 16 patches coming with iOS 16.6:


Apple Neural Engine

Available for devices with Apple Neural Engine: iPhone 8 and later, iPad Pro (3rd generation) and later, iPad Air (3rd generation) and later, and iPad mini (5th generation)

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2023-38136: Mohamed GHANNAM (@_simo36)

CVE-2023-38580: Mohamed GHANNAM (@_simo36)

Find My

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to read sensitive location information

Description: A logic issue was addressed with improved restrictions.

CVE-2023-32416: Wojciech Regula of SecuRing (wojciechregula.blog)

Kernel

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2023-32734: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte. Ltd.

CVE-2023-32441: Peter Nguyễn Vũ Hoàng (@peternguyen14) of STAR Labs SG Pte. Ltd.

CVE-2023-38261: an anonymous researcher

CVE-2023-38424: Certik Skyfall Team

CVE-2023-38425: Certik Skyfall Team

Kernel

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to modify sensitive kernel state. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.1. 

Description: This issue was addressed with improved state management.

CVE-2023-38606: Valentin Pashkov, Mikhail Vinogradov, Georgy Kucherin (@kucher1n), Leonid Bezvershenko (@bzvr_), and Boris Larin (@oct0xor) of Kaspersky

Kernel

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A use-after-free issue was addressed with improved memory management.

CVE-2023-32381: an anonymous researcher

CVE-2023-32433: Zweig of Kunlun Lab

CVE-2023-35993: Kaitao Xie and Xiaolong Bai of Alibaba Group

Kernel

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: A user may be able to elevate privileges

Description: The issue was addressed with improved checks.

CVE-2023-38410: an anonymous researcher

Kernel

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: A remote user may be able to cause a denial-of-service

Description: The issue was addressed with improved checks.

CVE-2023-38603: Zweig of Kunlun Lab

libxpc

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to gain root privileges

Description: A path handling issue was addressed with improved validation.

CVE-2023-38565: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab (xlab.tencent.com)

libxpc

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to cause a denial-of-service

Description: A logic issue was addressed with improved checks.

CVE-2023-38593: Noah Roskin-Frazee

NSURLSession

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to break out of its sandbox

Description: The issue was addressed with improvements to the file handling protocol.

CVE-2023-32437: Thijs Alkemade from Computest Sector 7

WebKit

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: A website may be able to bypass Same Origin Policy

Description: The issue was addressed with improved checks.

WebKit Bugzilla: 256549
CVE-2023-38572: Narendra Bhati (twitter.com/imnarendrabhati) of Suma Soft Pvt. Ltd, Pune – India

WebKit

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Processing web content may lead to arbitrary code execution

Description: The issue was addressed with improved checks.

WebKit Bugzilla: 256865
CVE-2023-38594: Yuhao Hu

WebKit Bugzilla: 256573
CVE-2023-38595: an anonymous researcher, Jiming Wang, and Jikai Ren

WebKit Bugzilla: 257387
CVE-2023-38600: Anonymous working with Trend Micro Zero Day Initiative

WebKit

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Processing web content may lead to arbitrary code execution

Description: The issue was addressed with improved memory handling.

WebKit Bugzilla: 258058
CVE-2023-38611: Francisco Alonso (@revskills)

WebKit

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Description: The issue was addressed with improved checks.

WebKit Bugzilla: 259231
CVE-2023-37450: an anonymous researcher

This issue was first addressed in Rapid Security Response iOS 16.5.1 (c) and iPadOS 16.5.1 (c).

WebKit Process Model

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Processing web content may lead to arbitrary code execution

Description: The issue was addressed with improved checks.

WebKit Bugzilla: 258100
CVE-2023-38597: 이준성(Junsung Lee) of Cross Republic

WebKit Web Inspector

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Processing web content may disclose sensitive information

Description: The issue was addressed with improved checks.

WebKit Bugzilla: 256932
CVE-2023-38133: YeongHyeon Choi (@hyeon101010)


Additional recognition

Mail

We would like to acknowledge Parvez Anwar for their assistance.

WebRTC

We would like to acknowledge an anonymous researcher for their assistance.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Manage push notifications

notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications
notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications