CVE-2023-32409
ENISA EUVD: EUVD-2023-36653 ↗
Exploited in the Wild
✓ Confirmed 0-Day
★ Google Project Zero
Triaged: Feb. 18, 2026
22 articles
Published: 2023-06-23
EPSS Score
Source: FIRST.org · 2026-05-23
0.31%
probability
This CVE has a 0.31% probability
of being exploited in the next 30 days.
0%
Top 54.3th percentile of all CVEs
100%
CVSS v3.1
Source: VulnerabilityLookup (CIRCL)8.6
HIGH
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
High
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
Description
VulnerabilityLookup (CNA)The issue was addressed with improved bounds checks. This issue is fixed in watchOS 9.5, tvOS 16.5, macOS Ventura 13.4, iOS 15.7.8 and iPadOS 15.7.8, Safari 16.5, iOS 16.5 and iPadOS 16.5. A remote attacker may be able to break out of Web Content sandbox. Apple is aware of a report that this issue may have been actively exploited.
Affected Products
Apple
macOS
unspecified
Apple
Safari
unspecified
Apple
watchOS
unspecified
Apple
iOS and iPadOS
unspecified
Apple
iOS and iPadOS
unspecified
Google Project Zero
Patched
May 18, 2023
Reported by
Clément Lecigne of Google's Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International’s Security Lab
Root Cause Analysis
???
Signal Intelligence
Confidence
92%
EPSS
0.31%
CVSS v3.1
8.6
Mentions
22
Last Seen
Mar 11, 2025
CNA Information
CNA Assigner
apple
Analyst Note
This zero-day vulnerability in Apple WebKit has been actively exploited in sophisticated attacks and is confirmed by multiple reputable sources including BleepingComputer and Google Project Zero. The high CVSS score (8.6), evidence of active exploitation, and patching across multiple Apple platforms (macOS, iOS, tvOS, watchOS) with official acknowledgment of the vulnerability being exploited all strongly support the CONFIRMED status.
Triage Info
Decided atFeb 18, 2026
Published DateJun 23, 2023