CISA has added CVE-2023-41974 to the Known Exploited Vulnerabilities (KEV) catalogue, affecting Apple iOS and iPadOS. Apple iOS and iPadOS Use-After-Free Vulnerability could allow an app to execute arbitrary code with kernel privileges.
Technical detail: The flaw is a use-after-free in the kernel memory management of iOS and iPadOS, enabling arbitrary code execution with kernel privileges potentially via a malicious app. The CVSS score is 7.8 (HIGH). A patch is available from Apple (HT213938).
Exploitation and risk: Active exploitation has been confirmed. Ransomware campaign use is unknown. CISA has set a remediation deadline of 26 March 2026.
Required action: Remediation actions are to apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Directly affected entities are Federal Civilian Executive Branch (FCEB) agencies. All organisations should review their exposure and plan accordingly.
Final sentence: For full details, see the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2023-41974 and the CISA KEV catalogue entry.