CVE-2022-22620

CVSS 8.8 HIGHEPSS 16.3%● KEVCWE-416

In short

A memory management flaw in Safari and Apple operating systems allows attackers to execute arbitrary code by crafting malicious web content. This vulnerability was actively exploited in the wild, making it a critical security threat.

Technical detail

A use-after-free vulnerability (CWE-416) in Safari's memory management allows remote code execution through maliciously crafted web content. The attack requires only web browsing interaction and has been actively exploited in the wild. Fixed in macOS Monterey 12.2.1, iOS 15.3.1, iPadOS 15.3.1, and Safari 15.3.

Summary generated and translated by AI from the official description.

A use after free issue was addressed with improved memory management. This issue is fixed in macOS Monterey 12.2.1, iOS 15.3.1 and iPadOS 15.3.1, Safari 15.3 (v. 16612.4.9.1.8 and 15612.4.9.1.8). Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited..

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected products

Apple · macOS Apple · Safari (v and )

public PoCs found — 2

githubgithub.com/springsec/CVE-2022-22620★ 6 githubgithub.com/kmeps4/CVE-2022-22620★ 1

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://security.gentoo.org/glsa/202208-39 https://support.apple.com/en-us/HT213091 https://support.apple.com/en-us/HT213092 https://support.apple.com/en-us/HT213093 https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-22620