For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page.
Apple security documents reference vulnerabilities by CVE-ID when possible.
For more information about security, see the Apple Product Security page.
Released July 24, 2023
Assets
Available for: macOS Monterey
Impact: An app may be able to modify protected parts of the file system
Description: This issue was addressed with improved data protection.
CVE-2023-35983: Mickey Jin (@patch4t)
curl
Available for: macOS Monterey
Impact: Multiple issues in curl
Description: Multiple issues were addressed by updating curl.
CVE-2023-28319
CVE-2023-28320
CVE-2023-28321
CVE-2023-28322
Find My
Available for: macOS Monterey
Impact: An app may be able to read sensitive location information
Description: A logic issue was addressed with improved restrictions.
CVE-2023-32416: Wojciech Regula of SecuRing (wojciechregula.blog)
Grapher
Available for: macOS Monterey
Impact: Processing a file may lead to unexpected app termination or arbitrary code execution
Description: The issue was addressed with improved checks.
CVE-2023-36854: Bool of YunShangHuaAn(云上华安)
CVE-2023-32418: Bool of YunShangHuaAn(云上华安)
Kernel
Available for: macOS Monterey
Impact: An app may be able to execute arbitrary code with kernel privileges
Description: A use-after-free issue was addressed with improved memory management.
CVE-2023-32381: an anonymous researcher
CVE-2023-32433: Zweig of Kunlun Lab
CVE-2023-35993: Kaitao Xie and Xiaolong Bai of Alibaba Group
Kernel
Available for: macOS Monterey
Impact: An app may be able to modify sensitive kernel state. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.1.
Description: This issue was addressed with improved state management.
CVE-2023-38606: Valentin Pashkov, Mikhail Vinogradov, Georgy Kucherin (@kucher1n), Leonid Bezvershenko (@bzvr_), and Boris Larin (@oct0xor) of Kaspersky
Kernel
Available for: macOS Monterey
Impact: An app may be able to execute arbitrary code with kernel privileges
Description: The issue was addressed with improved memory handling.
CVE-2023-32441: Peter Nguyễn Vũ Hoàng (@peternguyen14) of STAR Labs SG Pte. Ltd.
libxpc
Available for: macOS Monterey
Impact: An app may be able to gain root privileges
Description: A path handling issue was addressed with improved validation.
CVE-2023-38565: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab (xlab.tencent.com)
libxpc
Available for: macOS Monterey
Impact: An app may be able to cause a denial-of-service
Description: A logic issue was addressed with improved checks.
CVE-2023-38593: Noah Roskin-Frazee
Model I/O
Available for: macOS Monterey
Impact: Processing a 3D model may result in disclosure of process memory
Description: The issue was addressed with improved checks.
CVE-2023-38421: Mickey Jin (@patch4t)
CVE-2023-38258: Mickey Jin (@patch4t)
OpenLDAP
Available for: macOS Monterey
Impact: A remote user may be able to cause a denial-of-service
Description: The issue was addressed with improved memory handling.
CVE-2023-2953: Sandipan Roy
PackageKit
Available for: macOS Monterey
Impact: An app may be able to access user-sensitive data
Description: A logic issue was addressed with improved restrictions.
CVE-2023-38259: Mickey Jin (@patch4t)
PackageKit
Available for: macOS Monterey
Impact: An app may be able to modify protected parts of the file system
Description: A permissions issue was addressed with additional restrictions.
CVE-2023-38602: Arsenii Kostromin (0x3c3e)
Shortcuts
Available for: macOS Monterey
Impact: A shortcut may be able to modify sensitive Shortcuts app settings
Description: An access issue was addressed with improved access restrictions.
CVE-2023-32442: an anonymous researcher
sips
Available for: macOS Monterey
Impact: Processing a file may lead to a denial-of-service or potentially disclose memory contents
Description: An out-of-bounds read was addressed with improved input validation.
CVE-2023-32443: David Hoyt of Hoyt LLC
We would like to acknowledge Parvez Anwar for their assistance.