CVE-2023-32420: 
macOS vulnerability analysis and mitigation

An out-of-bounds read vulnerability (CVE-2023-32420) was discovered in Apple's operating systems. The vulnerability was fixed in iOS 16.5 and iPadOS 16.5, watchOS 9.5, tvOS 16.5, and macOS Ventura 13.4, released on May 18, 2023. The vulnerability was discovered by CertiK SkyFall Team and Linus Henze of Pinauten GmbH (Apple Security).

The vulnerability exists in the IOSurfaceAccelerator component where an out-of-bounds read condition could occur. The issue was addressed with improved input validation. The vulnerability has a CVSS v3.1 Base Score of 7.1 HIGH (Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H) (NVD).

If exploited, this vulnerability could allow a malicious app to cause unexpected system termination or read kernel memory (Apple Security). The vulnerability affects multiple Apple operating systems and devices including iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later, Apple TV 4K (all models), Apple TV HD, and macOS Ventura systems.

Apple has addressed this vulnerability by implementing improved input validation in the affected systems. Users should update to iOS 16.5 and iPadOS 16.5, watchOS 9.5, tvOS 16.5, or macOS Ventura 13.4 or later versions to protect against this vulnerability (Apple Security).