CVE-2023-23529

Exploited in the Wild ✓ Confirmed 0-Day ★ Google Project Zero

Triaged: March 3, 2026 29 articles

VulnLookup ↗ NVD ↗ MITRE ↗ Advisory ↗ P0 Sheet ↗ CISA KEV ↗

EPSS Score

Source: FIRST.org · 2026-05-24

0.09%

probability

This CVE has a 0.09% probability of being exploited in the next 30 days.

0% Top 25.8th percentile of all CVEs 100%

CVSS v3.1

Source: NVD

8.8

HIGH

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Description

NVD

A type confusion issue was addressed with improved checks. This issue is fixed in iOS 15.7.4 and iPadOS 15.7.4, iOS 16.3.1 and iPadOS 16.3.1, macOS Ventura 13.2.1, Safari 16.3. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Affected Products

apple

safari

apple

ipados

apple

iphone os

apple

macos

Attack Intelligence

CWE-664 · Improper Control of a Resource Through its Lifetime CWE-704 · Incorrect Type Conversion CWE-843 · Type Confusion

Google Project Zero

Patched

Feb. 13, 2023

Reported by

???

Root Cause Analysis

???

https://support.apple.com/en-us/HT213633

Release Notes Vendor Advisory

https://support.apple.com/en-us/HT213635

Release Notes Vendor Advisory

https://support.apple.com/en-us/HT213638

Release Notes Vendor Advisory

https://support.apple.com/en-us/HT213673

Release Notes Vendor Advisory

https://support.apple.com/en-us/HT213633

Release Notes Vendor Advisory

https://support.apple.com/en-us/HT213635

Release Notes Vendor Advisory

https://support.apple.com/en-us/HT213638

Release Notes Vendor Advisory

https://support.apple.com/en-us/HT213673

Release Notes Vendor Advisory

Signal Intelligence

Confidenceⓘ

95%

EPSS 0.09%

CVSS v3.1 8.8

Mentions 29

Last Seen Mar 11, 2025

CNA Information

Analyst Note

CVE-2023-23529 is confirmed as an actively exploited zero-day with high severity (CVSS 8.8), reported by Google Project Zero and documented in multiple credible sources describing real-world attacks described as 'extremely sophisticated.' Apple's official advisory confirms the type confusion vulnerability in WebKit across multiple iOS, iPadOS, and macOS versions with arbitrary code execution capability.

Triage Info

Decided atMar 03, 2026