HighCISA KEVExploited in the wildPublic exploit

Parallax kernel use-after-free in Apple iOS and iPadOS

IdentifiersCVE-2023-41974CWE-416· Use After Free

CVE-2023-41974 is a kernel use-after-free vulnerability in Apple iOS and iPadOS. Apple describes it as a use-after-free issue in the kernel that was addressed with improved memory management. Successful exploitation allows a malicious application on the device to execute arbitrary code with kernel privileges. Public reporting also identifies this flaw as the kernel privilege-escalation component of the Coruna exploit kit, where it is referred to as “Parallax.” The issue was fixed in iOS 17 and iPadOS 17, and later backported to older supported releases including iOS 15.8.7 and iPadOS 15.8.7.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Exploitation can result in arbitrary code execution in kernel context, effectively giving the attacker root-equivalent control over the device. This enables deep operating-system access, compromise of sensitive user data, and support for full post-exploitation activity such as implant deployment, privilege escalation from an unprivileged app, and broader device compromise. Reporting on Coruna indicates the flaw was used as a kernel privilege-escalation stage to deploy the PLASMAGRID implant.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by preventing installation and execution of untrusted applications on affected devices and enforcing rapid update compliance for iOS/iPadOS fleets. Apple stated that Lockdown Mode blocks Coruna-related attacks, but this CVE specifically requires a malicious app rather than malicious web content, so patching remains the primary mitigation. Where vendor mitigations cannot be applied, discontinue use of vulnerable devices in sensitive environments.

Remediation

Patch, then assume compromise.

Apply Apple security updates that include the fix for CVE-2023-41974. The vulnerability is fixed in iOS 17 and iPadOS 17, and Apple also backported the fix to older supported devices in iOS 15.8.7 and iPadOS 15.8.7. Organizations should ensure affected legacy devices that cannot run newer major releases receive the applicable backported update immediately.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

AppleIpadosoperating_system

AppleIphone Osoperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

41 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

41 SOURCESView more in app

breakglass intelNews

Apr 2, 2026

PLASMAGRID: Inside an iOS Exploit Kit With 6 Cloudflare Accounts, a Custom DGA, and a Coordinated Law Enforcement Takedown - Breakglass Intelligence - Breakglass Intelligence

An iOS kernel privilege escalation vulnerability used in Coruna Stage 3 to obtain root and deploy the PLASMAGRID implant.

security affairsNews

Mar 20, 2026

Apple urges iPhone users to update as Coruna and DarkSword exploit kits emerge

A privilege escalation vulnerability included in the Coruna iOS exploit kit.

the hacker newsNews

Mar 18, 2026

Apple Fixes WebKit Vulnerability Enabling Same-Origin Policy Bypass on iOS and macOS

A security flaw for which Apple expanded patches; the flaw was weaponized as part of the Coruna exploit kit.

centripetal threat researchNews

Mar 16, 2026

Coruna iOS Exploit Kit: Observed Traffic Across… | Centripetal

A kernel use-after-free vulnerability in iOS used as the kernel privilege escalation component of the Coruna exploit chain.

+19 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence16

Every observed campaign linking this CVE to a named adversary.

Associated malware22

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity16

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2023-41974

NVD

nvd.nist.gov/vuln/detail/CVE-2023-41974

MITRE CWE · CWE-416

Use After Free

Vendor Advisory

support.apple.com/en-us/120949

Vendor Advisory

support.apple.com/en-us/126632

Vendor Advisory

support.apple.com/en-us/HT213938

Vendor Advisory

support.apple.com/kb/HT213938

Third Party Advisory

cloud.google.com/blog/topics/threat-intelligence/coruna-powerful-ios-exploit-kit

US Government Resource

cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-41974