Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
HighCISA KEVExploited in the wildPublic exploit

Apple IOSurfaceAccelerator Out-of-Bounds Write Kernel Code Execution

IdentifiersCVE-2023-28206CWE-787· Out-of-bounds Write

CVE-2023-28206 is an out-of-bounds write vulnerability in Apple IOSurfaceAccelerator affecting iOS, iPadOS, and macOS. Apple states the issue was addressed through improved input validation. Successful exploitation may allow a local application to execute arbitrary code with kernel privileges. Apple also stated it is aware of reports that the vulnerability may have been actively exploited in the wild. Fixed releases include macOS Big Sur 11.7.6, macOS Monterey 12.6.5, macOS Ventura 13.3.1, iOS 15.7.5, iPadOS 15.7.5, iOS 16.4.1, and iPadOS 16.4.1.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can result in arbitrary code execution in kernel context, giving the attacker kernel-level privileges on the affected device. This can enable full device compromise, including bypass of application sandboxing, modification of kernel state, installation of persistent malware or spyware, access to sensitive data, and broader control over the operating system.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by limiting installation and execution of untrusted or unnecessary applications, restricting local code execution paths through enterprise device management controls, and monitoring devices for signs of compromise. Because exploitation appears to require an app on the device, enforcing strict application allowlisting, minimizing sideloading or unmanaged app installation, and isolating high-risk devices can reduce risk until updates are applied. Review endpoint and system logs for suspicious activity where available.

Remediation

Patch, then assume compromise.

Apply Apple's security updates that fix CVE-2023-28206. The content identifies the patched versions as macOS Big Sur 11.7.6, macOS Monterey 12.6.5, macOS Ventura 13.3.1, iOS 15.7.5, iPadOS 15.7.5, iOS 16.4.1, and iPadOS 16.4.1. Organizations should prioritize patching because Apple reported possible active exploitation and CISA added the CVE to the KEV catalog.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
AppleIpadosoperating_system
AppleIphone Osoperating_system
AppleMacosoperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

9 SOURCESView more in app
apple supportNews
Jan 24, 2026
About the security content of iOS 15.7.5 and iPadOS 15.7.5 - Apple Support

An out-of-bounds write in IOSurfaceAccelerator that could allow an app to execute arbitrary code with kernel privileges.

Read more
apple supportNews
Jan 24, 2026
About the security content of macOS Big Sur 11.7.6 - Apple Support

An out-of-bounds write vulnerability in macOS Big Sur’s IOSurfaceAccelerator that could allow an application to execute arbitrary code with kernel privileges; Apple notes it may have been actively exploited.

Read more
bleeping computerNews
Sep 21, 2023
Apple emergency updates fix 3 new zero-days exploited in attacks

An Apple zero-day vulnerability patched in April 2023 (no additional details provided in the content).

Read more
bleeping computerNews
Jul 24, 2023
Apple fixes new zero-day used in attacks against iPhones, Macs

An Apple zero-day vulnerability reported as exploited and patched in April 2023 (no additional technical details provided in the content).

Read more
+2 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence2

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures2

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity2

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2023-28206
NVD
nvd.nist.gov/vuln/detail/CVE-2023-28206
MITRE CWE · CWE-787
Out-of-bounds Write
Vendor Advisory
support.apple.com/en-us/HT213720
Vendor Advisory
support.apple.com/en-us/HT213721
Vendor Advisory
support.apple.com/en-us/HT213723
Vendor Advisory
support.apple.com/en-us/HT213724
Vendor Advisory
support.apple.com/en-us/HT213725
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-28206