CVE-2023-36495: Input Validation
Published Jul 24, 2023
·Updated
Accessibility. A privacy issue was addressed with improved private data redaction for log entries.
Credit
香农的三蹦子(Pangu Lab), Nick Brook, Kirin@@Pwnrin, pattern-f@@pattern_F_(Ant Security Light), Mohamed GHANNAM@@_simo36, Wojciech Regula(SecuRing), Kirin@@Pwnrin(SecuRing), (SecuRing), found by OSS-Fuzz, Zweig(Kunlun Lab), an anonymous researcher, Pan ZhenPeng@@Peterpan0927(STAR Labs SG Pte), Peter Nguyễn Vũ Hoàng@@peternguyen14(STAR Labs SG Pte), Certik Skyfall Team, Valentin Pashkov(Kaspersky), Mikhail Vinogradov(Kaspersky), Georgy Kucherin@@kucher1n(Kaspersky), Leonid Bezvershenko@@bzvr_(Kaspersky), (Kaspersky), Boris Larin@@oct0xor(Kaspersky), Kaitao Xie(Alibaba Group), Xiaolong Bai(Alibaba Group), Certik Skyfall Team(Ant Security Light), Sei K., Zhipeng Huo@@R3dF09(Tencent Security Xuanwu Lab), Noah Roskin-Frazee, Thijs Alkemade(Computest Sector 7), Adam M., Johan Carlsson (joaxcar), Hritvik Taneja, Jason Kim, Jie Jeff Xu, Stephan van Schaik, Daniel Genkin, Yuval Yarom, Narendra Bhati (twitter.com/imnarendrabhati)(Suma Soft Pvt), Pune - India(TU Wien), Valentino Dalla Valle(TU Wien), Pedro Bernardo(TU Wien), Marco Squarcina(TU Wien), (TU Wien), Lorenzo Veronese(TU Wien), Pune - India, Yuhao Hu, Jiming Wang, Jikai Ren, Anonymous(Trend Micro Zero Day Initiative), Francisco Alonso@@revskills, Junsung Lee, 이준성(Junsung Lee)(Cross Republic), Apple, YeongHyeon Choi@@hyeon101010, Mickey Jin@@patch1t, Gergely Kalman@@gergely_kalman, Erhad Husovic, CVE-2023-28319, CVE-2023-28320, CVE-2023-28321, CVE-2023-28322, Bool(YunShangHuaAn), Arsenii Kostromin (0x3c3e), Taavi Eomäe(Zone Media O), Mickey Jin@@patch1t(Trend Micro Zero Day Initiative), (Trend Micro Zero Day Initiative), Michael DePlante@@izobashi(Trend Micro Zero Day Initiative), CVE-2023-1916, Jonathan Bar Or(Microsoft), Emanuele Cozzi(Microsoft), (Microsoft), Michael Pearse(Microsoft), Csaba Fitzl@@theevilbit(Offensive Security), Sandipan Roy, James Duffy (mangoSecure), Michael Cowell, David Hoyt(Hoyt LLC), Wenchao Li(Hangzhou Orange Shield Information Technology Co), Xiaolong Bai(Hangzhou Orange Shield Information Technology Co), Ltd., CVE-2023-1801, Matthew Loewen, CVE-2023-2426, CVE-2023-2609, CVE-2023-2610, Yiğit Can YILMAZ@@yilmazcanyigit, Pr, Yishu Wang, ABC Research s.r.o.
Affected Software
16 affected componentsFixes available
Apple tvOS<16.6
16.6
Apple WatchOS<9.6
9.6
Apple macOS Monterey<12.6.8
12.6.8
Apple macOS Ventura<13.5
13.5
Apple iOS<16.6
16.6
Apple iPadOS<16.6
16.6
Apple iOS<15.7.8
15.7.8
Apple iPadOS<15.7.8
15.7.8
Apple iPadOS<15.7.8
Apple iPadOS>=16.0<16.6
Apple iPhone OS<15.7.8
Apple iPhone OS>=16.0<16.6
Apple macOS>=12.0<12.6.8
Apple macOS>=13.0<13.5
Apple tvOS<16.6
Apple WatchOS<9.6
Event History
Jul 24, 2023
Data Sourced
via Apple·12:00 AM
DescriptionWeaknessAffected Software
Updated
via Apple·12:00 AM
DescriptionWeakness
Updated
via Apple·12:00 AM
DescriptionWeaknessAffected Software
Jul 28, 2023
CVE Published
via MITRE·04:30 AM
Data Sourced
via MITRE·04:30 AM
DescriptionWeakness
Frequently Asked Questions
1
What is CVE-2023-36495?
CVE-2023-36495 is a vulnerability in the kernel of Apple devices that allows an app to execute arbitrary code with kernel privileges.
2
How severe is CVE-2023-36495?
CVE-2023-36495 has a severity rating of 9.8, which is classified as critical.
3
Which software versions are affected by CVE-2023-36495?
macOS Monterey 12.6.8, watchOS 9.6, iOS 15.7.8 and iPadOS 15.7.8, tvOS 16.6, and macOS Ventura 13.5 are affected by CVE-2023-36495.
4
How can I fix CVE-2023-36495?
To fix CVE-2023-36495, update your device to watchOS 9.6 or later, macOS Monterey 12.6.8 or later, iOS 15.7.8 or later, iPadOS 15.7.8 or later, tvOS 16.6 or later, or macOS Ventura 13.5 or later.
5
Where can I find more information about CVE-2023-36495?
More information about CVE-2023-36495 can be found on Apple's official support page: [link].