Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
HighCISA KEVExploited in the wildPublic exploit

WebKit Use-After-Free Arbitrary Code Execution

IdentifiersCVE-2023-28205CWE-416· Use After Free

CVE-2023-28205 is a use-after-free vulnerability in Apple's WebKit browser engine. Apple states that processing maliciously crafted web content can trigger the flaw and lead to arbitrary code execution. The issue was addressed through improved memory management. The vulnerability affects Safari and Apple platforms that use WebKit, including iOS, iPadOS, and macOS. Apple also reported that it is aware of indications that this issue may have been actively exploited in the wild.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can result in arbitrary code execution in the context of the targeted WebKit process when a victim processes attacker-controlled web content. In practical terms, this enables remote compromise via a malicious webpage or embedded web content and can serve as the initial access component of a broader exploit chain. Given Apple's statement that the issue may have been actively exploited, the vulnerability should be treated as high risk.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure to untrusted web content by limiting browsing from affected devices, restricting access to suspicious or untrusted sites, and minimizing use of applications that render WebKit content. Monitor endpoint, browser, and network telemetry for signs of exploitation or post-exploitation activity. These are temporary risk-reduction measures only; vendor patching is the primary mitigation.

Remediation

Patch, then assume compromise.

Apply Apple's security updates that fix CVE-2023-28205. The content identifies fixes in Safari 16.4.1, iOS 15.7.5 and iPadOS 15.7.5, iOS 16.4.1 and iPadOS 16.4.1, and macOS Ventura 13.3.1. Supporting content also references broader Apple updates for affected macOS releases, including macOS Big Sur 11.7.6 and macOS Monterey 12.6.5. Organizations should prioritize patching because the vulnerability has been reported as potentially exploited in the wild and has been added to CISA's KEV catalog.
PUBLIC EXPLOITS

Exploits

2 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos.

VALID 2 / 2 TOTALView more in app
uaf-2023-28205MaturityPoCVerified exploit

This repository is a proof-of-concept (POC) exploit for CVE-2023-28205, a use-after-free vulnerability in Apple WebKit. The repository contains 13 files, including JavaScript modules for memory manipulation, an HTML file (index.html) that serves as the exploit entry point, a main exploit script (poc.js), and a simple Python HTTP server (server.py) for local hosting. The exploit is triggered by visiting the HTML page in a vulnerable browser, which loads poc.js and executes the exploit logic. The JavaScript code manipulates Map and Date objects to trigger a use-after-free condition, then attempts to demonstrate memory reuse or browser crash, indicating exploitability. The code is modular, with supporting files for low-level memory operations, heap spraying, and debugging. No weaponized payload is included; the POC demonstrates the vulnerability and memory corruption potential. The exploit targets Apple WebKit on macOS and iOS platforms. The server.py script allows easy local hosting of the exploit files for testing.

seregonwarDisclosed Jan 4, 2026javascriptpythonbrowser
uaf-2023-28205MaturityPoCVerified exploit

This repository is a proof-of-concept (POC) exploit for CVE-2023-28205, a use-after-free vulnerability in Apple WebKit. The structure includes a Python HTTP server (server.py) to serve the exploit files, an HTML file (index.html) that loads the exploit, and a JavaScript POC (poc.js) that triggers the vulnerability by manipulating Map and Date objects to induce a use-after-free condition. The 'module/' directory contains supporting JavaScript modules for memory manipulation and exploitation primitives, suggesting the code is designed for advanced browser exploitation research. The exploit is intended to be run in a browser environment, targeting vulnerable versions of WebKit (Safari on macOS/iOS). No weaponized payload is included; the POC demonstrates the bug and can cause a browser crash or potentially arbitrary code execution if further developed.

ntfargoDisclosed Nov 30, 2024javascriptpythonbrowser
EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
AppleIpadosoperating_system
AppleIphone Osoperating_system
AppleMacosoperating_system
AppleSafariapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app
apple supportNews
Jan 24, 2026
About the security content of iOS 15.7.5 and iPadOS 15.7.5 - Apple Support

A WebKit use-after-free vulnerability that could allow arbitrary code execution via maliciously crafted web content.

Read more
bleeping computerNews
Sep 21, 2023
Apple emergency updates fix 3 new zero-days exploited in attacks

An Apple zero-day vulnerability patched in April 2023 (no additional details provided in the content).

Read more
bleeping computerNews
Jul 24, 2023
Apple fixes new zero-day used in attacks against iPhones, Macs

An Apple zero-day vulnerability reported as exploited and patched in April 2023 (no additional technical details provided in the content).

Read more
kyberturvallisuuskeskus infosecNews
Apr 11, 2023
Kriittisiä haavoittuvuuksia Applen tuotteissa - päivitä heti | Kyberturvallisuuskeskus

Apple zero-day vulnerability where maliciously crafted web content could allow arbitrary code execution on the device without user approval.

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures2

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2023-28205
NVD
nvd.nist.gov/vuln/detail/CVE-2023-28205
MITRE CWE · CWE-416
Use After Free
Release Notes
support.apple.com/en-us/HT213720
Release Notes
support.apple.com/en-us/HT213721
Release Notes
support.apple.com/en-us/HT213722
Release Notes
support.apple.com/en-us/HT213723
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-28205