For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page.
Apple security documents reference vulnerabilities by CVE-ID when possible.
For more information about security, see the Apple Product Security page.
Released March 27, 2023
AppleMobileFileIntegrity
Available for: Apple TV 4K (all models) and Apple TV HD
Impact: A user may gain access to protected parts of the file system
Description: The issue was addressed with improved checks.
CVE-2023-23527: Mickey Jin (@patch4t)
Core Bluetooth
Available for: Apple TV 4K (all models) and Apple TV HD
Impact: Processing a maliciously crafted Bluetooth packet may result in disclosure of process memory
Description: An out-of-bounds read was addressed with improved bounds checking.
CVE-2023-23528: Jianjun Dai and Guang Gong of 360 Vulnerability Research Institute
CoreCapture
Available for: Apple TV 4K (all models) and Apple TV HD
Impact: An app may be able to execute arbitrary code with kernel privileges
Description: The issue was addressed with improved memory handling.
CVE-2023-28181: Tingting Yin of Tsinghua University
FontParser
Available for: Apple TV 4K (all models) and Apple TV HD
Impact: Processing a maliciously crafted image may result in disclosure of process memory
Description: The issue was addressed with improved memory handling.
CVE-2023-27956: Ye Zhang of Baidu Security
Foundation
Available for: Apple TV 4K (all models) and Apple TV HD
Impact: Parsing a maliciously crafted plist may lead to an unexpected app termination or arbitrary code execution
Description: An integer overflow was addressed with improved input validation.
CVE-2023-27937: an anonymous researcher
Identity Services
Available for: Apple TV 4K (all models) and Apple TV HD
Impact: An app may be able to access information about a user’s contacts
Description: A privacy issue was addressed with improved private data redaction for log entries.
CVE-2023-27928: Csaba Fitzl (@theevilbit) of Offensive Security
ImageIO
Available for: Apple TV 4K (all models) and Apple TV HD
Impact: Processing a maliciously crafted image may result in disclosure of process memory
Description: The issue was addressed with improved memory handling.
CVE-2023-23535: ryuzaki
ImageIO
Available for: Apple TV 4K (all models) and Apple TV HD
Impact: Processing a maliciously crafted image may result in disclosure of process memory
Description: An out-of-bounds read was addressed with improved input validation.
CVE-2023-27929: Meysam Firouzi (@R00tkitSMM) of Mbition Mercedes-Benz Innovation Lab and jzhu working with Trend Micro Zero Day Initiative
Kernel
Available for: Apple TV 4K (all models) and Apple TV HD
Impact: An app may be able to execute arbitrary code with kernel privileges
Description: A use after free issue was addressed with improved memory management.
CVE-2023-27969: Adam Doupé of ASU SEFCOM
Kernel
Available for: Apple TV 4K (all models) and Apple TV HD
Impact: An app with root privileges may be able to execute arbitrary code with kernel privileges
Description: The issue was addressed with improved memory handling.
CVE-2023-27933: sqrtpwn
Podcasts
Available for: Apple TV 4K (all models) and Apple TV HD
Impact: An app may be able to access user-sensitive data
Description: The issue was addressed with improved checks.
CVE-2023-27942: Mickey Jin (@patch4t)
TCC
Available for: Apple TV 4K (all models) and Apple TV HD
Impact: An app may be able to access user-sensitive data
Description: This issue was addressed by removing the vulnerable code.
CVE-2023-27931: Mickey Jin (@patch4t)
WebKit
Available for: Apple TV 4K (all models) and Apple TV HD
Impact: Processing maliciously crafted web content may bypass Same Origin Policy
Description: This issue was addressed with improved state management.
WebKit Bugzilla: 248615
CVE-2023-27932: an anonymous researcher
WebKit
Available for: Apple TV 4K (all models) and Apple TV HD
Impact: A website may be able to track sensitive user information
Description: The issue was addressed by removing origin information.
WebKit Bugzilla: 250837
CVE-2023-27954: an anonymous researcher
CFNetwork
We would like to acknowledge an anonymous researcher for their assistance.
CoreServices
We would like to acknowledge Mickey Jin (@patch4t) for their assistance.
ImageIO
We would like to acknowledge Meysam Firouzi @R00tkitSMM for their assistance.
WebKit
We would like to acknowledge an anonymous researcher for their assistance.
Vulmon