CVE-2023-41974: The Apple iOS Kernel Flaw That Came Back to Bite

A use-after-free vulnerability in Apple's XNU kernel quietly sat in millions of iPhones and iPads for over two years before threat actors began using it in active exploit campaigns. In March 2026, CISA added CVE-2023-41974 to its Known Exploited Vulnerabilities catalog. Here is what happened, how the flaw works, and why patched does not always mean protected.

When Apple shipped iOS 17 in September 2023, the release notes included a quiet acknowledgment: a memory handling issue had been resolved in the kernel. The credit went to security researcher Félix Poulin-Bélanger. That one-line credit corresponded to CVE-2023-41974, a physical use-after-free vulnerability in Apple's XNU kernel that, when exploited, gave an attacker with app-level access the ability to read and write kernel memory — effectively owning the device.

The vulnerability would take roughly two and a half years to fully surface in the threat landscape. On March 5, 2026, the U.S. Cybersecurity and Infrastructure Security Agency added CVE-2023-41974 to its Known Exploited Vulnerabilities catalog, citing active exploitation evidence tied to a sophisticated iOS exploit kit called Coruna. The remediation deadline CISA set for federal civilian agencies was March 26, 2026 — just three weeks later, reflecting the urgency of the threat.

What Is CVE-2023-41974?

CVE-2023-41974 is a use-after-free (UAF) vulnerability residing in Apple's XNU kernel, the core operating system kernel underlying iOS, iPadOS, and macOS. It was reserved on September 6, 2023, formally published on January 10, 2024, and most recently updated on March 6, 2026, coinciding with CISA's KEV catalog entry.

Apple's official security advisory for iOS 17 and iPadOS 17 lists CVE-2023-41974 under the Kernel section with the impact statement: an app may be able to execute arbitrary code with kernel privileges. The description of the fix states that a use-after-free issue was addressed with improved memory management. The advisory credits Félix Poulin-Bélanger as the discoverer, and the entry was updated on December 22, 2023. That impact language — arbitrary code execution with kernel privileges — matches both the NVD and CISA descriptions of the flaw. But the advisory framing understates the operational reality. As the kfd project's Landa writeup demonstrates, CVE-2023-41974 produces a physical use-after-free primitive that gives an attacker full kernel read/write access. In practice, within an exploit chain like Coruna, it functions as a privilege escalation stepping stone: the vulnerability does not provide initial remote access on its own, but once an attacker has achieved code execution through a separate entry point such as a WebKit bug, CVE-2023-41974 removes the kernel's protective barriers and delivers complete device compromise.

The vulnerability affects a wide range of hardware. According to Apple's advisory, the impacted device list includes iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later. That is not a narrow slice of the install base — it covers a very large share of iPhones and iPads that were in active use during the vulnerability's window of exposure.

CVE at a Glance

The NVD entry carries a CVSS 3.1 base score of 7.8 (High) with the vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, reflecting the local access requirement and the high impact across confidentiality, integrity, and availability. CISA's Stakeholder-Specific Vulnerability Categorization (SSVC) assessment goes further, classifying the technical impact as "total" and exploitation status as "active." The CVSS score alone does not fully capture the operational significance. A 7.8 High rating might suggest a moderate-priority item in a large vulnerability backlog, but the SSVC "total" impact classification and confirmed active exploitation tell a different story. In the hands of a well-equipped attacker chaining CVE-2023-41974 with a browser-level entry point, the end result is full kernel compromise — indistinguishable from arbitrary kernel code execution with no mitigations standing in the way.

Use-After-Free: The Vulnerability Class Explained

To understand why CVE-2023-41974 is dangerous, it helps to understand what use-after-free means as a vulnerability class. Memory management in operating systems involves a continuous cycle: allocating memory for objects, using those objects while they're needed, then freeing the memory when those objects are no longer required. A use-after-free flaw occurs when code continues to reference — and potentially use — a memory address after the memory at that address has already been released back to the system.

When memory is freed, the operating system marks it as available for reuse. If an attacker can trigger that reuse before the dangling reference is discarded, they can plant crafted data in the reclaimed region. When the original code then dereferences its stale pointer and acts on what it finds, it is no longer interacting with the legitimate original object — it is interacting with whatever the attacker placed there. In kernel-space, the consequences of this are severe. The kernel is the layer of software with unconditional access to hardware, memory, processes, and all system resources. Code executing with kernel privileges can disable security features, read encrypted data in memory, inject code into any running process, or install persistent modifications that survive reboots.

CWE-416 — the official classification for use-after-free — has consistently ranked among the most dangerous software weakness types. The 2023 CWE Top 25 list, published by MITRE, identified use-after-free as one of the leading root causes of exploitable security vulnerabilities across all software categories, not just mobile operating systems. Apple's XNU kernel, being a complex, multi-threaded environment handling concurrent memory operations across many subsystems, provides fertile ground for this class of flaw to emerge.

Apple described the fix as addressing a use-after-free issue with improved memory management. — Apple Security Advisory, iOS 17 and iPadOS 17 (support.apple.com/en-us/120949)

The Landa Exploit: How the Flaw Was Weaponized

The technical story of CVE-2023-41974 is inseparable from a project called kfd — short for kernel file descriptor — published by Félix Poulin-Bélanger on GitHub. The kfd project is a research-grade exploit framework designed to demonstrate the ability to read and write kernel memory on Apple devices by leveraging vulnerabilities that produce what Poulin-Bélanger calls a PUAF primitive: a physical use-after-free.

Within the kfd project, the specific exploit for CVE-2023-41974 is named Landa. The writeup accompanying the exploit explains the mechanics in precise terms. The vulnerability exists in how XNU's virtual memory subsystem handles a race condition involving virtual memory entries (VMEs) that are in a transitional state. Specifically, the issue involves the functions vm_map_copy_overwrite_nested() and vm_map_copy_overwrite_unaligned().

The exploit author notes that Landa is closely related to an earlier vulnerability tracked as Project Zero issue 2361 — the same class of bug underlying the widely known MacDirtyCow exploit (CVE-2022-46689) — which involved a race condition allowing writes to read-only memory mappings. In that earlier bug, vm_map_copy_overwrite_nested() would verify that destination VMEs were writable, but vm_map_copy_overwrite_unaligned() could release the map lock mid-operation and never re-validate after reacquiring it. Landa works through the same structural flaw, but the exploitable state is VMEs that are marked as "in transition" rather than read-only.

// Landa targets this race in the XNU kernel (xnu-8796.101.5):
// vm_map_copy_overwrite_unaligned() drops the map lock during copy,
// allowing VMEs in transition to be freed and reallocated
// before the lock is reacquired and the operation completes.
// This produces dangling PTEs — physical use-after-free pages
// accessible from user space through stale page table entries.

The exploit proceeds in three major phases. In the setup phase, a memory region of the target size plus two additional pages is allocated and split into three distinct virtual memory entries with carefully arranged ownership of virtual memory objects. The second phase wins the race condition: by spraying threads and timing virtual memory copy operations, the exploit forces the kernel into a state where page table entries point to physical pages that have been returned to the free pool. The freed physical pages remain mapped in user space. The third phase — called "from PUAF to KRKW" in the writeup — reallocates kernel objects inside those freed physical pages, then manipulates them directly from user space through the dangling page table entries. The result is a full kernel read/write (KRKW) primitive.

The exploit was confirmed to work on iOS 16.5 and 16.5.1 running on iPhone 14 Pro Max hardware, and macOS 13.4 and 13.4.1 on an M2 MacBook Air. The code snippets in the writeup all reference xnu-8796.101.5, the XNU source version corresponding to those releases.

There is a meaningful access constraint worth stating clearly: the Landa exploit is reachable from the App Sandbox — meaning a malicious application installed on the device can trigger it — but it is not reachable from the WebContent sandbox. This means the vulnerability cannot be exploited directly from a webpage through Safari's renderer alone. An attacker typically needs either a separate vulnerability to escape the browser's content process or a means of getting a malicious application onto the device first. According to The Apple Wiki, the vulnerability earned a $70,000 Apple Security Bounty reward after being reported.

The kfd project repository has accumulated over 950 stars and more than 180 forks on GitHub, with the Landa method subsequently integrated into multiple iOS jailbreak tools including the Dopamine jailbreak framework. The community adoption of the Landa method underscores what the security research community already knew: this was a high-quality, reliable kernel exploit with real-world utility.

The Coruna iOS Exploit Kit and Active Exploitation

The transition of CVE-2023-41974 from a published research proof-of-concept to an actively weaponized vulnerability is directly tied to a sophisticated commercial iOS exploit kit named Coruna by its developers. Google's Threat Intelligence Group (GTIG) identified the kit's internal name after recovering a debug version inadvertently deployed by one of the threat actors using it. Mobile security firm iVerify independently discovered and reverse-engineered the same toolkit, publishing corroborating research on the same day under the name CryptoWaters. iVerify described it as the first documented case of mass exploitation of iOS devices by a financially motivated criminal group — a claim that signals a fundamental shift in how the mobile threat landscape operates.

GTIG researchers first captured parts of an iOS exploit chain in February 2025, when it was used by a customer of a commercial surveillance company — suggesting the kit originated in the commercial spyware market. The full kit, as later recovered, contained five complete iOS exploit chains and a total of 23 individual exploits, covering devices running iOS 13.0 through iOS 17.2.1. Notably, not all of those exploits have been assigned CVE identifiers — some remain untracked in public vulnerability databases. That range spans roughly four and a half years of Apple hardware and software releases. According to GTIG, the framework's technical sophistication was exceptional, with advanced exploit components leveraging non-public techniques and mitigation bypasses characteristic of nation-state-grade tooling.

The second observed deployment came in the summer of 2025, when Coruna was detected on compromised Ukrainian websites — sites serving industrial equipment suppliers, retail tool vendors, and local service businesses. The delivery mechanism was a watering hole attack: visitors accessing these sites from iPhones received a hidden iFrame from the domain cdn.uacounter[.]com that loaded the exploit kit. GTIG worked with Ukraine's CERT-UA to clean up the compromised sites. Researchers attributed this campaign to a suspected Russian espionage group tracked as UNC6353, with delivery restricted to specific iPhone users from targeted geolocations — a hallmark of intelligence-driven targeting rather than mass exploitation.

The third observed use of Coruna surfaced by late 2025, this time tied to a cluster of fake Chinese websites related to finance and cryptocurrency. One example involved a fake site impersonating the WEEX cryptocurrency exchange, which displayed pop-up prompts encouraging visitors to access the platform from an iPhone. This activity was attributed to a financially motivated threat cluster tracked as UNC6691. Unlike the earlier targeted deployments, iVerify confirmed that these exploit chains contained no geolocation filtering — meaning any vulnerable iPhone visiting those pages was at risk. GTIG recovered a debug version of the exploit kit from this campaign, inadvertently deployed by the threat actor, which exposed internal code names and confirmed the toolkit's identity as Coruna.

According to GTIG, Coruna's advanced exploit components used non-public techniques and mitigation bypasses. — Google Threat Intelligence Group, Google Cloud Blog (March 2026)

The PlasmaLoader Payload: From Espionage to Financial Theft

What makes the UNC6691 deployment especially significant is the payload delivered after the exploit chain completes. GTIG identified a final-stage stager binary called PlasmaLoader, tracked internally as PLASMAGRID, which injects itself into powerd — a root-level iOS system daemon — while masquerading as a legitimate Apple service using the com.apple.assistd identifier. Unlike conventional surveillance implants, PlasmaLoader is purpose-built for financial theft.

The malware hooks functions in at least 18 cryptocurrency wallet applications — including MetaMask, Phantom, Exodus, BitKeep, and Uniswap — allowing attackers to intercept sensitive wallet data. It can decode QR codes from images stored on disk and scans Apple Notes for BIP39 seed phrases and keywords such as "backup phrase" and "bank account," which could enable attackers to recover cryptocurrency wallets and steal digital assets. Stolen data is encrypted with AES before exfiltration to hardcoded command-and-control addresses. As a fallback, the implant embeds a custom domain generation algorithm using the string "lazarus" as a seed to generate predictable .xyz domains if its primary C2 servers become unavailable. GTIG noted that code comments within the UNC6691 variant of PlasmaLoader were written in Chinese, and some appeared to have been generated by a large language model — a sharp contrast to the professional English documentation in the original Coruna modules.

iVerify's independent analysis found additional modules targeting WhatsApp beyond those identified by GTIG, and noted the kit appeared to be in active development. The PlasmaLoader malware lacks a persistence mechanism that survives a device reboot — meaning a daily restart flushes the infection from memory — but the continuous availability of the exploit delivery infrastructure makes reinfection trivially easy for users who revisit compromised sites.

Proliferation and the Attribution Debate

The progression from surveillance vendor tool to nation-state espionage instrument to financially motivated criminal weapon is a pattern observed repeatedly in the history of mobile exploit kits. Once a toolkit leaves the hands of its original developer — whether through sale, theft, or third-party reselling — the original access controls and use restrictions cease to function. Coruna appears to have followed precisely this path. As GTIG noted, the proliferation mechanism remains unclear but suggests an active market for second-hand zero-day exploits.

iVerify co-founder Rocky Cole stated publicly that the firm assessed the exploit chain had structural similarities to frameworks previously associated with the U.S. government. Boris Larin, principal security researcher at Kaspersky, disputed this in a statement to The Register, noting no evidence of actual code reuse to support that attribution. Regardless of origin, the operational reality is clear: surveillance-grade iOS exploit capabilities are now in the hands of multiple unrelated threat actors operating across three continents.

The exploit chains within Coruna relied on multiple CVEs operating in sequence. The initial browser-level entry was typically achieved through WebKit vulnerabilities, including CVE-2024-23222 (a type confusion bug patched in January 2024), CVE-2022-48503, and CVE-2023-43000. From there, the chains leveraged kernel-level flaws — including CVE-2023-41974, codenamed "Parallax" within Coruna's internal naming scheme — to bypass memory mitigations and achieve persistent access. Some of the CVEs used in Coruna had previously appeared as zero-day exploits in Operation Triangulation, the sophisticated 2023 campaign against Kaspersky researchers that exploited a hardware-level vulnerability in Apple Silicon. A notable design feature: Coruna is programmed to abort execution on devices running in Lockdown Mode or using private browsing in Safari, a deliberate evasion of Apple's most restrictive defensive posture.

Active Exploitation Warning

CISA confirmed active exploitation of CVE-2023-41974 in the wild as of March 2026. Any iOS or iPadOS device running a version prior to iOS 17.0 that has not been updated should be treated as potentially vulnerable. Update immediately. If updating is not possible, enable Lockdown Mode — the Coruna exploit kit is designed to abort execution when it detects this setting is active.

CISA's KEV Addition and What It Means

On March 5, 2026, CISA formally added CVE-2023-41974 to its Known Exploited Vulnerabilities catalog alongside four other vulnerabilities: CVE-2017-7921 (Hikvision improper authentication), CVE-2021-22681 (Rockwell Automation insufficient credential protection), CVE-2021-30952 (Apple integer overflow), and CVE-2023-43000 (Apple WebKit use-after-free). The simultaneous addition of multiple Apple flaws — all linked to the Coruna exploit kit — reflects the intelligence context behind the KEV entry.

The KEV catalog, established under Binding Operational Directive BOD 22-01, formally requires Federal Civilian Executive Branch agencies to remediate listed vulnerabilities by specified due dates. For CVE-2023-41974, that deadline was March 26, 2026 — 21 days from the date of addition. The short window signals CISA's assessment of urgency. CISA's prescribed actions are clear: apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

While BOD 22-01 is legally binding only for federal civilian agencies, the KEV catalog functions in practice as a universal prioritization signal. Vulnerability management programs across private industry, critical infrastructure sectors, and international government organizations treat KEV entries as high-priority remediation items. When CISA says a vulnerability is known to be exploited in the wild, that determination is grounded in threat intelligence, not theoretical risk modeling.

The catalog entry for CVE-2023-41974 carries one additional notation worth attention: ransomware campaign use is listed as "Unknown." That classification does not mean ransomware operators are not using it — it means CISA has not yet confirmed that specific use. Given the trajectory of Coruna from surveillance tool to criminal toolkit, that status may change.

Affected Devices, Apple's Response, and Deeper Defenses

Apple addressed CVE-2023-41974 in the iOS 17.0 and iPadOS 17.0 releases, shipped on September 18, 2023. Apple's description in the advisory — that a use-after-free issue was addressed with improved memory management — is characteristically terse but accurate: the fix involved tightening the memory management logic in the affected virtual memory copy functions so that VMEs in transition are properly re-validated after the map lock is reacquired. The NVD's CPE data for this CVE specifically lists iOS and iPadOS versions prior to 17.0 as vulnerable. While the underlying XNU kernel code is shared across Apple platforms including macOS, and the kfd exploit was confirmed working on macOS 13.4, the official Apple advisory reference for CVE-2023-41974 (HT213938) is specific to iOS 17 and iPadOS 17.

The advisory entry for CVE-2023-41974 carries a note that it was updated on December 22, 2023. Apple does not specify what changed in the update. This is not unusual for complex kernel vulnerabilities; Apple frequently revises advisory entries as its understanding of a flaw's scope sharpens after public disclosure and researcher scrutiny.

Devices that received the fix include the full range of hardware capable of running iOS 17: iPhone XS and all subsequent iPhone models, and the broad iPad device lineup listed above. Devices running iOS 16.6 or earlier, or those that cannot be upgraded to iOS 17, remain vulnerable. The jailbreak community's adoption of the Landa exploit method for iOS 16.5.x and 16.6.x confirms that those firmware versions were genuinely and stably exploitable prior to the patch.

It is also worth noting that the underlying XNU virtual memory code is shared across iOS, iPadOS, and macOS. Poulin-Belanger's kfd exploit code confirmed the vulnerability was functional on an M2 MacBook Air running macOS 13.4, and the shared XNU kernel source (xnu-8796.101.5) is identical across platforms. Users running macOS 13 Ventura who have not upgraded to macOS 14 Sonoma or later should treat their systems as having been exposed to the same kernel-level risk, even though Apple's published CVE advisory references are specific to the iOS and iPadOS fix.

What You Should Do Right Now

For individual users, the immediate remediation path is straightforward: update to iOS 17.0 or later, or to any subsequent iOS 17.x or 18.x release. As of March 2026, Apple's current iOS release is well past iOS 17.0, meaning any device on a current or recent update is protected against this specific flaw. To check and update: open Settings, tap General, then Software Update. Beyond updating, individual users should consider enabling Lockdown Mode on their devices. Coruna is explicitly programmed to abort execution when it detects Lockdown Mode is active, making it one of the few defenses that works even against a multi-exploit chain of this sophistication. For users who cannot update, a daily device restart will flush the PlasmaLoader implant from memory, though it does not prevent reinfection on subsequent visits to compromised sites.

For organizations managing fleets of Apple devices through MDM solutions, CVE-2023-41974's KEV status should trigger a compliance review. Any managed device running iOS or iPadOS prior to version 17.0 needs to be flagged and remediated. Devices that cannot be upgraded — due to age or device management policy — should be evaluated for risk and potentially removed from enterprise access until they are updated or replaced. However, the Coruna threat exposes a deeper architectural gap in enterprise mobile security: as security analysts from Everest Group noted in reporting by CSO Online, many enterprise mobile security programs were designed around device management rather than device integrity. MDM and app-layer controls operate above the kernel. If an attacker can reliably achieve WebKit code execution and escalate to kernel-level access, the device can misrepresent its own state, and many policy controls become irrelevant in practice. Organizations should consider deploying mobile threat defense (MTD) solutions that operate at the device integrity level, not just the management layer, and enforce Lockdown Mode policies on high-risk or executive devices.

For security teams conducting threat hunting, the Coruna exploit kit's delivery mechanisms — watering hole sites and fake finance or cryptocurrency pages — provide useful indicators. Web proxy logs, DNS query records, and endpoint detection data should be reviewed for anomalous connections originating from mobile devices, particularly iOS devices with older firmware. Specific network-level indicators include connections to suspicious .xyz domains and HTTP headers containing the fields sdkv and x-ts, which GTIG identified as potential C2 indicators. Hidden iFrame delivery and browser-based exploit chains leave traces in network telemetry that a well-tuned detection stack can surface. Google has added all identified Coruna-related domains and websites to its Safe Browsing service, and GTIG has published indicators of compromise in a free collection on VirusTotal.

The Bigger Defensive Question

CVE-2023-41974 — and Coruna more broadly — forces a question that goes beyond patching: what happens when surveillance-grade exploit chains stop being targeted tools and start being mass-market weapons? The traditional security model for iOS assumed that kernel exploits were expensive, rare, and wielded only against high-value targets. Coruna demonstrates that assumption is no longer safe. The exploit recycling economy has matured to the point where a kernel vulnerability patched in September 2023 can be weaponized at scale by December 2025, moving from commercial surveillance vendor to intelligence agency to criminal operation in under a year.

For Apple, the long-term response involves continued investment in hardware-level memory safety. The company has publicly discussed Memory Integrity Enforcement as a significant upgrade to memory safety protections in future hardware generations. For organizations and users, the lesson is more immediate: patching velocity for mobile devices must match the speed at which exploit toolkits propagate. A patch that exists but is not applied is not a defense — it is a documented attack surface.

Key Takeaways

Patched in 2023, weaponized at scale by 2025: CVE-2023-41974 illustrates that the lag between a patch release and active exploitation can be measured in years. The existence of public proof-of-concept code lowers the barrier for threat actors who did not find the flaw themselves. The exploit recycling economy has matured to the point where a well-documented kernel vulnerability becomes a mass-market weapon within months of entering the secondary market.
It is a post-exploitation enabler with chain-level impact: This vulnerability does not provide initial access on its own. It removes kernel memory protections after some degree of execution has already been achieved, making it a critical link in multi-stage attack chains like those used in the Coruna exploit kit. Within Coruna, CVE-2023-41974 sits downstream of WebKit remote code execution and PAC bypass stages, enabling the full privilege escalation that delivers the PlasmaLoader payload.
Commercial surveillance tools become criminal weapons: Coruna's trajectory — from surveillance vendor product to state espionage tool to financially motivated attack kit — is a documented pattern with growing frequency. The fact that both GTIG and iVerify independently tracked the same toolkit across three distinct threat actor ecosystems in under a year demonstrates how quickly exploit capabilities proliferate once containment fails.
The payload has shifted from surveillance to financial theft: The PlasmaLoader implant delivered by the UNC6691 campaign is purpose-built for cryptocurrency theft, hooking 18 wallet applications and scanning for seed phrases in Apple Notes. This is not intelligence collection — it is industrial-scale financial crime using nation-state-grade tools.
Lockdown Mode is a proven defense: Coruna explicitly checks for and avoids devices running in Apple's Lockdown Mode. Enabling it on high-risk devices provides a concrete, tested mitigation even against sophisticated multi-exploit chains.
CISA KEV status demands action: The addition of CVE-2023-41974 to the KEV catalog on March 5, 2026 is not a theoretical warning. It reflects confirmed, active, in-the-wild exploitation. Federal agencies have a 21-day remediation window; private organizations should treat it with similar urgency.
Update to iOS 17.0 or later to be protected: The fix has been available since September 2023. There is no technical reason a supported device should still be running iOS 16. If your device cannot run iOS 17, consult Apple's hardware compatibility documentation and consider whether the device should remain in use for sensitive activity.

CVE-2023-41974 is not an obscure, theoretical edge case. It is a confirmed, exploited, kernel-level vulnerability in Apple's widely deployed mobile operating systems, with a published exploit, a commercial exploit kit, a financial theft payload, and nation-state-linked actors in its chain of custody. The patch has existed for over two years. For any iOS or iPadOS device still running an unpatched version, that gap represents an open invitation.