CVE CyberSecurity Database News

CVE-2023-38604 - Out-of-Bounds Write Vulnerability in Apple Devices Explained

Poster -

Out-of-bounds write vulnerabilities can be scary, especially when they affect the kernel—the “heart” of your operating system. Apple recently addressed such a flaw in several of its most popular operating systems with CVE-2023-38604. In this post, I’ll break down what this bug means, how it could affect you, and what Apple did to fix it. I’ll explain it in plain American English, show you real code snippets that simulate the problem, and even walk through possible exploit paths. Plus, you'll find all the must-click references at the bottom!

What Is CVE-2023-38604?

CVE-2023-38604 is a security vulnerability found in Apple’s kernel (the core of the OS), where improper input validation allowed an attacker to write outside the bounds of an allocated memory buffer. By exploiting this hole, a malicious application could run arbitrary code with kernel privileges—that’s as powerful as it gets!

Understanding Out-of-Bounds Write

Let’s see what an “out-of-bounds write” means, with a simple C example (not Apple’s code, but similar logic):

void write_to_buffer(char *input, size_t length) {
    char buffer[16];
    // BAD: No proper check on length, could overflow buffer!
    for (size_t i = ; i < length; i++) {
        buffer[i] = input[i];
    }
}

If length is larger than 16, you overwrite memory outside the buffer—out-of-bounds! If this happens in kernel code, an attacker could potentially overwrite important data, pointers, or even inject their own code.

Craft the Input

The attacker sends data longer than what the kernel expects—maybe over a network or from an app running on the device.

Corrupt Kernel State

The attacker tries to place “payloads” (malicious code or addresses) into where the kernel will later look for instructions, such as function pointers.

Takeover

When the kernel uses the overwritten data, it starts executing the attacker’s code with kernel privileges!

Example: Exploit Flow (Conceptual)

/* Pseudo-exploit: craft input for oversized kernel buffer */
unsigned char evil_payload[64];
// Fill with shellcode or address to shellcode
fill_payload(evil_payload, 64);

// Send to vulnerable system call or driver
call_kernel_function(evil_payload, 64); // Note: This is for illustration only!

With the correct offsets, this could let an attacker bypass system protections, escalate privileges, or even install persistent malware.

Apple patched CVE-2023-38604 by adding stricter checks. Here’s what that would look like

void write_to_buffer_safe(char *input, size_t length) {
    char buffer[16];
    // GOOD: Check length before use
    if (length > sizeof(buffer)) {
        // Reject or handle safely
        return;
    }
    for (size_t i = ; i < length; i++) {
        buffer[i] = input[i];
    }
}

By validating the length, the dangerous out-of-bounds write is prevented.

macOS 11.7.9, 12.6.8, 13.5

- iOS/iPadOS 15.7.8, 16.6

References & More Reading

- Apple Security Updates (official)
- CVE-2023-38604 at MITRE
- A guide on buffer overflows (OWASP)

Summary

CVE-2023-38604 shows how critical it is for developers to check their input sizes, especially deep in the operating system. For us users, the best defense is keeping systems updated and avoiding untrusted apps. The vulnerability is fixed in the most recent Apple OS versions — update now and stay safe!


*Written exclusively for you — stay secure, and happy computing!*

Timeline

Published on: 07/28/2023 05:15:11 UTC
Last modified on: 08/03/2023 16:51:50 UTC