Changeflow GovPing Vulnerability Management Apple Use-After-Free Vulnerability Fixed in iOS...
Priority review Notice Amended Final

Apple Use-After-Free Vulnerability Fixed in iOS/iPadOS 17

Favicon for www.cisa.gov CISA Known Exploited Vulnerabilities (KEV)
Detected March 13th, 2026
Email

Summary

CISA has added a use-after-free vulnerability (CVE-2023-41974) affecting Apple iOS and iPadOS to its Known Exploited Vulnerabilities (KEV) catalog. The vulnerability, which could allow an app to execute arbitrary code with kernel privileges, has been fixed by Apple in iOS 17, iPadOS 17, iOS 15.8.7, and iPadOS 15.8.7.

View original document View source feed page

What changed

CISA has added CVE-2023-41974, a critical use-after-free vulnerability in Apple's iOS and iPadOS, to its Known Exploited Vulnerabilities (KEV) catalog. This vulnerability, identified by Apple Inc., allows an application to potentially execute arbitrary code with kernel privileges. Apple has released patches for this issue in iOS 17, iPadOS 17, iOS 15.8.7, and iPadOS 15.8.7.

Federal agencies are required to review and patch their affected systems by March 5, 2026, to mitigate the risk of exploitation. Organizations using affected Apple devices should ensure their operating systems are updated to the patched versions to prevent potential security breaches. Failure to comply with CISA directives may result in further action.

What to do next

  1. Update affected Apple devices to iOS 17, iPadOS 17, iOS 15.8.7, or iPadOS 15.8.7.
  2. Review systems for exploitation attempts related to CVE-2023-41974.

Penalties

Federal agencies are required to patch affected systems by the specified deadline. Non-compliance may lead to further action by CISA.

Source document (simplified)

Required CVE Record Information

CNA: Apple Inc.

Description

A use-after-free issue was addressed with improved memory management. This issue is fixed in iOS 17 and iPadOS 17, iOS 15.8.7 and iPadOS 15.8.7. An app may be able to execute arbitrary code with kernel privileges.

Product Status

Learn more Versions 1 Total

Default Status: unknown

affected

  • affected before 17 Versions 1 Total

Default Status: unknown

affected

  • affected before 15.8.7

References 2 Total

CVE Program

Updated:

2025-11-04

This container includes required additional information provided by the CVE Program for this vulnerability.

References 2 Total

Authorized Data Publishers

Learn more

CISA-ADP

Updated:

2026-03-06

SSVC and KEV, plus CVSS and CWE if not provided by the CNA.

SSVC 1 Total

Learn more
| Exploitation | Automatable | Technical Impact | Version | Date Accessed |
| --- | --- | --- | --- | --- |
| active | no | total | 2.0.3 | 2024-01-22 |

KEV 1 Total

Learn more
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-41974 (2026-03-05)

CWE 1 Total

Learn more
- CWE-416: CWE-416 Use After Free

CVSS 1 Total

Learn more
| Score | Severity | Version | Vector String |
| --- | --- | --- | --- |
| 7.8 | HIGH | 3.1 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |

Related changes

Favicon for sam.gov SAM.gov Entity Exclusions Unavailable Due to Maintenance
Routine Mar 14, 2026 SAM.gov Entity Exclusions (Debarments & Suspensions) Trade Procurement
Favicon for sam.gov SAM.gov Entity Registration and Exclusions Unavailable
Routine Mar 14, 2026 SAM.gov Entity Exclusions (Debarments & Suspensions) Trade Procurement
Favicon for sam.gov SAM.gov Entity Exclusions Unavailable During Maintenance
Routine Mar 14, 2026 SAM.gov Entity Exclusions (Debarments & Suspensions) Trade Procurement
Favicon for wid.cert-bund.de CPython Vulnerabilities Allow Remote Code Execution
Priority review Mar 13, 2026 CERT-Bund Security Advisories Vulnerability Alerts
Favicon for wid.cert-bund.de Vim Vulnerability Allows Code Execution (CVSS 6.6)
Priority review Mar 13, 2026 CERT-Bund Security Advisories Vulnerability Alerts
Favicon for wid.cert-bund.de FreeRDP Vulnerabilities - Remote Code Execution
Priority review Mar 13, 2026 CERT-Bund Security Advisories Vulnerability Alerts

Source

Favicon for www.cisa.gov
CISA Known Exploited Vulnerabilities (KEV) cisa.gov/known-exploited-vulnerabilities-catalog
Vulnerability Management
Analysis generated by AI. Source diff and links are from the original.

Classification

Agency
Various Federal Agencies
Compliance deadline
March 5th, 2026 (9 days ago)
Instrument
Notice
Legal weight
Non-binding
Stage
Final
Change scope
Substantive

Who this affects

Applies to
Technology companies
Geographic scope
National (US)

Taxonomy

Primary area
Cybersecurity
Operational domain
IT Security
Topics
Software Vulnerabilities Data Security

Browse Categories

Federal Courts 26 State Courts 91 Securities Regulation 6 Financial Regulation 43 Consumer Protection 5 Drug Safety 45 Data Protection 21 Competition 2 Attorneys General 3 Insurance Regulation 5 Trade & Export 36 Legislation 42 Energy Regulation 13 Environment 3 Labor & Employment 2 Tax 1

Get Vulnerability Management alerts

Weekly digest. AI-summarized, no noise.

Free. Unsubscribe anytime.

Get alerts for this source

We'll email you when CISA Known Exploited Vulnerabilities (KEV) publishes new changes.

Free. Unsubscribe anytime.