CVE-2023-32372: 
macOS vulnerability analysis and mitigation

CVE-2023-32372 is an out-of-bounds read vulnerability affecting Apple's ImageIO framework that was discovered and fixed in May 2023. The vulnerability affects multiple Apple operating systems including iOS 16.5, iPadOS 16.5, watchOS 9.5, tvOS 16.5, and macOS Ventura 13.4. The issue was discovered by Meysam Firouzi of Mbition Mercedes-Benz Innovation Lab working with Trend Micro Zero Day Initiative (Apple Support).

The vulnerability is classified as an out-of-bounds read issue (CWE-125) in the ImageIO framework. When processing an image, the vulnerability could allow unauthorized access to process memory due to improper input validation. The vulnerability has a CVSS v3.1 base score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N, indicating local access is required and user interaction is needed (NVD).

The vulnerability allows attackers to disclose sensitive information from process memory when processing images. The impact is limited to information disclosure without code execution capabilities (ZDI).

Apple has addressed this vulnerability by implementing improved input validation in the affected operating systems. The fix is available in iOS 16.5 and iPadOS 16.5, watchOS 9.5, tvOS 16.5, and macOS Ventura 13.4. Users are advised to update their devices to these versions or later to mitigate the vulnerability (Apple Support).