CVE-2023-40396 – This vulnerability allows an app to execute arb... (How to Fix)

Q: What is the severity of CVE-2023-40396?

CVE-2023-40396 has a CVSS score of 7.8 (HIGH). This vulnerability allows an app to execute arbitrary code with kernel privileges, potentially gaining full control over affected Apple devices. It affects iOS, iPadOS, macOS, watchOS, and tvOS systems running versions prior to the 2023 updates. The issue involves improper memory handling that could be exploited for privilege escalation.

📋 TL;DR

This vulnerability allows an app to execute arbitrary code with kernel privileges, potentially gaining full control over affected Apple devices. It affects iOS, iPadOS, macOS, watchOS, and tvOS systems running versions prior to the 2023 updates. The issue involves improper memory handling that could be exploited for privilege escalation.

💻 Affected Systems

Products:

iPhone
iPad
Mac
Apple Watch
Apple TV

Versions: Versions prior to iOS 17, iPadOS 17, macOS Sonoma 14, watchOS 10, tvOS 17

Operating Systems: iOS, iPadOS, macOS, watchOS, tvOS

Default Config Vulnerable: ⚠️ Yes

Notes: All standard configurations of affected Apple operating systems are vulnerable. No special configuration required for exploitation.

📦 What is this software?

Ipados by Apple

View all CVEs affecting Ipados →

Iphone Os by Apple

View all CVEs affecting Iphone Os →

Macos by Apple

macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...

Learn more about Macos →

Tvos by Apple

View all CVEs affecting Tvos →

Watchos by Apple

View all CVEs affecting Watchos →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise with kernel-level access, allowing attackers to install persistent malware, steal sensitive data, bypass security controls, and use the device as a foothold for lateral movement.

🟠

Likely Case

Targeted attacks against specific users or organizations to gain elevated privileges, potentially leading to data theft, surveillance, or credential harvesting.

🟢

If Mitigated

Limited impact with proper patch management and security controls in place, though unpatched devices remain vulnerable to exploitation.

🌐 Internet-Facing: MEDIUM - While exploitation typically requires local access or malicious app installation, successful exploitation could lead to internet-accessible compromise if combined with other vulnerabilities.

🏢 Internal Only: HIGH - Internal devices are primary targets for privilege escalation attacks, especially in enterprise environments where kernel access could lead to network-wide compromise.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires an app to be installed or running on the target device. The vulnerability is in memory handling, suggesting potential for reliable exploitation by skilled attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: iOS 17, iPadOS 17, macOS Sonoma 14, watchOS 10, tvOS 17

Vendor Advisory: https://support.apple.com/en-us/HT213936

Restart Required: Yes

Instructions:

1. Open Settings app. 2. Go to General > Software Update. 3. Download and install the latest available update. 4. Restart device when prompted.

🔧 Temporary Workarounds

Restrict App Installation

all

Limit app installation to App Store only and disable developer mode to reduce attack surface.

For iOS/iPadOS: Settings > General > Device Management > Restrict App Installation
For macOS: System Settings > Privacy & Security > Allow apps downloaded from: App Store

🧯 If You Can't Patch

Implement strict application allowlisting and monitor for unauthorized app installations
Isolate vulnerable devices from critical network segments and implement network segmentation

🔍 How to Verify

Check if Vulnerable:

Check current OS version against affected versions list. For iOS/iPadOS: Settings > General > About > Version. For macOS: Apple menu > About This Mac > macOS version.

Check Version:

iOS/iPadOS: Settings > General > About; macOS: sw_vers; watchOS/tvOS: Settings > General > About

Verify Fix Applied:

Verify OS version is iOS 17+, iPadOS 17+, macOS Sonoma 14+, watchOS 10+, or tvOS 17+.

📡 Detection & Monitoring

Log Indicators:

Unexpected kernel extensions loading
Processes running with unexpected privileges
System integrity protection (SIP) violations

Network Indicators:

Unusual outbound connections from system processes
DNS requests to suspicious domains from kernel-level processes

SIEM Query:

process.parent.name:kernel AND process.name:unexpected_process OR event.action:privilege_escalation AND device.os.version:<17

📊 Metadata

CVE ID: CVE-2023-40396

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-77

Published: July 29, 2024

Last Updated: March 19, 2025

🔗 References

https://support.apple.com/en-us/HT213936 Vendor Advisory
https://support.apple.com/en-us/HT213937 Vendor Advisory
https://support.apple.com/en-us/HT213938 Vendor Advisory
https://support.apple.com/en-us/HT213940 Vendor Advisory
https://support.apple.com/en-us/HT213936 Vendor Advisory
https://support.apple.com/en-us/HT213937 Vendor Advisory
https://support.apple.com/en-us/HT213938 Vendor Advisory
https://support.apple.com/en-us/HT213940 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-40396, you might also want to check these: