For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security releases page.
Apple security documents reference vulnerabilities by CVE-ID when possible.
For more information about security, see the Apple Product Security page.
Released December 11, 2023
AVEVideoEncoder
Available for: Apple TV HD and Apple TV 4K (all models)
Impact: An app may be able to disclose kernel memory
Description: This issue was addressed with improved redaction of sensitive information.
CVE-2023-42884: an anonymous researcher
ImageIO
Available for: Apple TV HD and Apple TV 4K (all models)
Impact: Processing an image may lead to arbitrary code execution
Description: The issue was addressed with improved memory handling.
CVE-2023-42898: Junsung Lee
CVE-2023-42899: Meysam Firouzi @R00tkitSMM and Junsung Lee
Kernel
Available for: Apple TV HD and Apple TV 4K (all models)
Impact: An app may be able to break out of its sandbox
Description: The issue was addressed with improved memory handling.
CVE-2023-42914: Eloi Benoist-Vanderbeken (@elvanderb) of Synacktiv (@Synacktiv)
WebKit
Available for: Apple TV HD and Apple TV 4K (all models)
Impact: Processing web content may lead to arbitrary code execution
Description: The issue was addressed with improved memory handling.
WebKit Bugzilla: 259830
CVE-2023-42890: Pwn2car
WebKit
Available for: Apple TV HD and Apple TV 4K (all models)
Impact: Processing an image may lead to a denial-of-service
Description: The issue was addressed with improved memory handling.
WebKit Bugzilla: 263349
CVE-2023-42883: Zoom Offensive Security Team
WebKit
Available for: Apple TV HD and Apple TV 4K (all models)
Impact: Processing web content may disclose sensitive information. Apple is aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1.
Description: An out-of-bounds read was addressed with improved input validation.
WebKit Bugzilla: 265041
CVE-2023-42916: Clément Lecigne of Google's Threat Analysis Group
WebKit
Available for: Apple TV HD and Apple TV 4K (all models)
Impact: Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1.
Description: A memory corruption vulnerability was addressed with improved locking.
WebKit Bugzilla: 265067
CVE-2023-42917: Clément Lecigne of Google's Threat Analysis Group
Wi-Fi
We would like to acknowledge Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab) for their assistance.
Vulmon