Kernel privilege escalation via integer overflow in Apple iOS/watchOS/macOS
CVE-2023-32434 is an Apple kernel vulnerability caused by an integer overflow. Apple states that improved input validation fixed the issue. Successful exploitation may allow an application to execute arbitrary code with kernel privileges. Supporting reporting further describes the flaw as a privilege-escalation issue involving integer overflow in memory mapping, and it was used as the kernel privilege-escalation component ('Photon') in exploit chains targeting iOS. Apple reported awareness that this issue may have been actively exploited in the wild against iOS versions released before iOS 15.7.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos (1 hidden).
This repository, 'Trigon', is a deterministic kernel exploit targeting CVE-2023-32434, an integer overflow in the XNU VM layer on Apple A9-A11 devices running iOS 13 to 15.7.6. The exploit is implemented as an iOS app (Objective-C/C/assembly) and is structured as a full Xcode project. The main exploit logic resides in the 'Trigon/Exploit' directory, with key files including 'exploit.c', 'aop.c', and 'surface.c'. The exploit works by creating a malicious IOSurface object to trigger the vulnerability, then leverages custom ARM shellcode to gain arbitrary physical memory access. It escalates this to full kernel virtual memory read/write, providing powerful primitives for further exploitation or jailbreaking. The exploit is highly reliable (deterministic) and does not cause kernel panics. The app provides a simple UI that runs the exploit and displays success/failure. No network endpoints are present; all exploitation is local. The code is mature and operational, providing working kernel R/W primitives, but is not a weaponized framework. The repository is well-structured, with clear separation between exploit logic, device info, memory manipulation, and UI components.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
33 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An iOS kernel privilege escalation vulnerability used in Coruna Stage 3 to obtain root and deploy the PLASMAGRID implant.
A patched iOS vulnerability used as a zero-day in Operation Triangulation and later incorporated into the Coruna exploit kit.
An Apple iOS vulnerability used as a zero-day in Operation Triangulation and later included in the Coruna iOS exploit kit.
A previously patched iOS kernel vulnerability included in the Coruna exploit kit and previously used as a zero-day in Operation Triangulation.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.