Apple Kernel Local Privilege Escalation
CVE-2023-41992 is a vulnerability in the Apple kernel affecting iOS, iPadOS, macOS, and watchOS. Apple describes the issue only at a high level, stating that it was addressed with improved checks. The available content consistently characterizes it as a kernel flaw that allows a local attacker to elevate privileges. Apple also stated it was aware of reports that the issue may have been actively exploited against iOS versions prior to iOS 16.7.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.
This repository is a proof-of-concept (PoC) exploit for CVE-2023-41992, a kernel vulnerability in Apple's iOS (tested on iPhone 12, iOS 16.2). The repository is structured as an Xcode project for an iOS app. The main exploit logic resides in 'p0c/p0c/ViewController.m', specifically in the 'viewDidLoad' method. The exploit manipulates Mach port reference counts and types to trigger a bug in the kernel's IPC (Inter-Process Communication) right handling, leading to a kernel crash when the app is killed. The code demonstrates the vulnerability but does not provide a full exploit chain (e.g., privilege escalation or code execution). The rest of the repository consists of standard iOS app boilerplate files, asset catalogs, and project configuration files. No network or remote endpoints are involved; the attack vector is local, requiring code execution on a vulnerable device.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Unauthorized access to protected user data due to authorization/state management issue (fixed with improved state management).
An Apple iOS/iPadOS kernel vulnerability that may allow a local attacker to elevate privileges; Apple reports it may have been actively exploited against iOS versions prior to iOS 16.7.
A kernel privilege escalation vulnerability where a local attacker may be able to elevate privileges; Apple reports it may have been actively exploited against iOS versions prior to iOS 16.7.
A use-after-free vulnerability in Apple kernel IPC, used in Predator exploit chains to break out of the Safari sandbox on iOS devices.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.