CVE-2023-38600: Story of an innocent Apple Safari copyWithin gone (way) outside

In May 2023, we received a vulnerability report from an anonymous researcher regarding a vulnerability in Apple Safari. It turned out to be an interesting classic integer underflow vulnerability. Apple assigned CVE-2023-38600 to this issue and fixed it in the following security advisories:

— iOS 16.6 and iPadOS 16.6
— macOS Ventura 13.5
— tvOS 16.6
— Safari 16.6
— watchOS 9.6

 Now that this vulnerability has been addressed by the vendor, we are ready to share additional details with …

anonymous apple apple safari blog post cve integer ios ios 16 ipados issue may may 2023 report researcher safari security security advisories story vulnerability