MediumCISA KEVExploited in the wildPublic exploit

Apple kernel sensitive state modification / PPL bypass in iOS and macOS

IdentifiersCVE-2023-38606CWE-269Also known asgallium

CVE-2023-38606 is an Apple kernel vulnerability fixed in macOS Monterey 12.6.8, macOS Big Sur 11.7.9, macOS Ventura 13.5, iOS 15.7.8, iPadOS 15.7.8, iOS 16.6, iPadOS 16.6, tvOS 16.6, and watchOS 9.6. Apple’s advisory states that an app may be able to modify sensitive kernel state and that the issue was addressed with improved state management. Public reporting and exploit-chain analyses associate this flaw with kernel post-exploitation on iOS, including use as a Page Protection Layer (PPL) bypass component in exploit frameworks such as Operation Triangulation and later Coruna. Supporting reporting also characterizes the bug as enabling arbitrary code execution with kernel privileges in some exploit contexts, but Apple’s published description is limited to modification of sensitive kernel state.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows modification of sensitive kernel state on affected Apple platforms. In practical exploit chains, this has been used to bypass kernel protections such as PPL and to facilitate kernel-level post-exploitation, including privilege escalation to root, kernel memory manipulation, and deployment of implants. Apple states it may have been actively exploited against iOS versions released before iOS 15.7.1.

Mitigation

If you can’t patch tonight, do this now.

Where immediate patching is not possible, reduce exposure by limiting installation and execution of untrusted apps and by moving devices to the latest supported OS branch as quickly as possible. Because this flaw has been used as a kernel-stage component in chained exploitation, broader mitigations should focus on preventing initial compromise vectors and minimizing use of outdated iOS releases. Information about a specific vendor-recommended workaround beyond patching is currently not available.

Remediation

Patch, then assume compromise.

Apply Apple security updates that fix CVE-2023-38606: iOS/iPadOS 16.6, iOS/iPadOS 15.7.8, macOS Ventura 13.5, macOS Monterey 12.6.8, macOS Big Sur 11.7.9, tvOS 16.6, and watchOS 9.6, or later versions. Prioritize patching older supported iOS/iPadOS branches because Apple reported active exploitation against versions of iOS released before iOS 15.7.1.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

AppleIpadosoperating_system

AppleIphone Osoperating_system

AppleMacosoperating_system

AppleTvosoperating_system

AppleWatchosoperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

34 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

34 SOURCESView more in app

breakglass intelNews

Apr 2, 2026

PLASMAGRID: Inside an iOS Exploit Kit With 6 Cloudflare Accounts, a Custom DGA, and a Coordinated Law Enforcement Takedown - Breakglass Intelligence - Breakglass Intelligence

An iOS kernel privilege escalation vulnerability used in Coruna Stage 3 to obtain root and deploy the PLASMAGRID implant.

security affairsNews

Mar 26, 2026

Coruna exploit reveals evolution of Triangulation iOS exploitation framework

A patched iOS vulnerability used as a zero-day in Operation Triangulation and later incorporated into the Coruna exploit kit.

the hacker newsNews

Mar 26, 2026

Coruna iOS Kit Reuses 2023 Triangulation Exploit Code in New Mass Attacks

An Apple iOS vulnerability used as a zero-day in Operation Triangulation and later included in the Coruna iOS exploit kit.

securelistNews

Mar 26, 2026

Coruna framework: an exploit kit and ties to Operation Triangulation | Securelist

A previously patched iOS kernel vulnerability included in the Coruna exploit kit and previously used as a zero-day in Operation Triangulation.

+23 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence15

Every observed campaign linking this CVE to a named adversary.

Associated malware36

Malware families riding this exploit, with evidence and IOCs.

Detection signatures2

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity7

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2023-38606

NVD

nvd.nist.gov/vuln/detail/CVE-2023-38606

MITRE CWE · CWE-269

cwe.mitre.org

Vendor Advisory

support.apple.com/en-us/HT213841

Vendor Advisory

support.apple.com/en-us/HT213842

Vendor Advisory

support.apple.com/en-us/HT213843

Vendor Advisory

support.apple.com/en-us/HT213844

Vendor Advisory

support.apple.com/en-us/HT213845

Vendor Advisory

support.apple.com/en-us/HT213846

Vendor Advisory

support.apple.com/en-us/HT213848

US Government Resource

cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-38606