CVE-2023-42951 is a vulnerability identified in Apple’s iOS and iPadOS operating systems that affects the ability of users to delete browsing history items. The root cause lies in improper handling of caches related to browsing history, which prevents the deletion operation from completing successfully. This issue compromises the integrity of user data management by retaining browsing history items that users intend to remove, potentially exposing sensitive browsing information if devices are shared or inspected. The vulnerability does not allow unauthorized access or modification of data beyond this scope, nor does it affect system availability or confidentiality directly. The CVSS 3.1 base score of 4.3 reflects a medium severity, with an attack vector over the network, low attack complexity, requiring privileges but no user interaction, and limited impact on integrity only. Apple addressed this issue in iOS and iPadOS version 17.1 by improving cache handling mechanisms to ensure browsing history deletions are properly processed. There are no known exploits in the wild, indicating limited active threat. However, the inability to delete browsing history can have privacy implications, especially in environments where device sharing or forensic analysis occurs. This vulnerability is relevant for organizations and individuals relying on Apple mobile devices for secure and private browsing experiences.

For European organizations, the primary impact of CVE-2023-42951 is related to user privacy and compliance with data protection regulations such as the GDPR. If users cannot delete browsing history, sensitive information may persist on devices longer than intended, increasing the risk of unauthorized disclosure during device sharing, loss, or inspection. This can undermine trust in organizational device management policies and potentially lead to non-compliance with privacy mandates. Although the vulnerability does not allow external attackers to compromise systems or data directly, it weakens user control over personal data, which is critical in privacy-conscious environments. Organizations that issue Apple devices to employees or manage mobile device fleets should be aware of this limitation and ensure timely updates to mitigate privacy risks. The impact on operational security is limited, but the reputational and regulatory risks related to privacy could be significant if not addressed.

To mitigate CVE-2023-42951, organizations should prioritize updating all affected Apple devices to iOS and iPadOS version 17.1 or later, where the issue is resolved. Device management policies should enforce timely patch deployment and verify update compliance across mobile fleets. Additionally, organizations can implement mobile device management (MDM) solutions to monitor device versions and enforce security baselines. User training should emphasize the importance of applying updates and understanding privacy settings related to browsing history. For environments where device sharing is common, consider additional controls such as user profiles or secure browsing modes that limit history retention. Regular audits of device configurations and privacy settings can help detect residual risks. Finally, organizations should review their privacy policies and incident response plans to address potential data exposure scenarios arising from this vulnerability.