How to Fix CVE-2023-32373: Apple Safari (Bundle Sibling)

By Sai Kiran Pandrala

CVE-2023-32373 ships in the same vendor advisory as CVE-2023-28204. The patched build at the primary write-up closes this CVE too.

What's different about CVE-2023-32373?

A use-after-free issue was addressed with improved memory management. This issue is fixed in watchOS 9.5, tvOS 16.5, macOS Ventura 13.4, iOS 15.7.6 and iPadOS 15.7.6, Safari 16.5, iOS 16.5 and iPadOS 16.5. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

The flaw class and remediation are identical to the primary CVE in the bundle. A successful exploit gives the attacker the impact described in the vendor advisory.

How to fix CVE-2023-32373

Apply the patched build documented in the primary write-up: How to Fix CVE-2023-28204. The vendor ships a single fix that covers every CVE in this advisory.

Frequently asked questions

Is CVE-2023-32373 actively exploited?

Yes. CVE-2023-32373 is on the CISA Known Exploited Vulnerabilities catalog, so federal civilian agencies are required to patch on the published deadline. Most enterprises treat the same date as the practical floor.

What is the CVSS severity of CVE-2023-32373?

Not verified. See the advisory for the full CVSS vector.

Where can I read the official advisory?

See https://support.apple.com/en-us/HT213758

Does the patch require a reboot?

It depends on the deployment. Service-only updates usually need a service restart; OS-level fixes require a full reboot. Check the vendor release notes for the exact post-upgrade steps.

References

• Official vendor advisory: https://support.apple.com/en-us/HT213758
• NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-32373
• CISA KEV catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
• Primary write-up: How to Fix CVE-2023-28204

*This guide is part of the Apple Safari bundle. Full remediation procedure is at CVE-2023-28204.*