CVE-2023-42917

ENISA EUVD: EUVD-2023-47338 ↗
Exploited in the Wild ✓ Confirmed 0-Day ★ Google Project Zero
Triaged: Feb. 18, 2026 11 articles Published: 2023-11-30
VulnLookup ↗ NVD ↗ EUVD ↗ MITRE ↗ Advisory ↗ P0 Sheet ↗ CISA KEV ↗

EPSS Score

Source: FIRST.org · 2026-05-23
0.09%
probability
This CVE has a 0.09% probability of being exploited in the next 30 days.
0% Top 25.4th percentile of all CVEs 100%

CVSS v3.1

Source: VulnerabilityLookup (CIRCL)
8.8
HIGH
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Description

VulnerabilityLookup (CNA)
A memory corruption vulnerability was addressed with improved locking. This issue is fixed in iOS 17.1.2 and iPadOS 17.1.2, macOS Sonoma 14.1.2, Safari 17.1.2. Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1.

Affected Products

Apple
Safari
unspecified
Apple
macOS
unspecified
Apple
iOS and iPadOS
unspecified

Attack Intelligence

Google Project Zero

Patched
Nov. 30, 2023
Reported by
Clément Lecigne of Google's Threat Analysis Group
Root Cause Analysis
???

Signal Intelligence

Confidence
92%
EPSS 0.09%
CVSS v3.1 8.8
Mentions 11
Last Seen Mar 11, 2025

CNA Information

CNA Assigner
apple

Analyst Note

CVE-2023-42917 is confirmed as an actively exploited zero-day with evidence of real-world attacks described as 'extremely sophisticated' by Apple and security researchers. The vulnerability affects Safari and iOS with a high CVSS score of 8.8, and Apple acknowledged prior exploitation before releasing patches in iOS 16.7.1 and later versions.

Triage Info

Decided atFeb 18, 2026
Published DateNov 30, 2023