CVE-2022-22675

CVSS 7.8 HIGHEPSS 12.6%● KEVCWE-787

Vexday Risk Score

56Attention

SSVC decision (CISA)

Act

Exploitation + impact → act immediately

CVSS 7.8EPSS 12.6%KEV simPoC —Nuclei —Metasploit —Patch —

Lifecycle

04 Apr 2022Active exploitation (CISA KEV)

26 May 2022Published on NVD

Recommendation: Patch as soon as possible — active exploitation confirmed.

In short

A flaw in Apple software allows an app to write data beyond intended memory boundaries, potentially letting it run malicious code with system-level privileges. This is a serious vulnerability that attackers are already exploiting.

Technical detail

Out-of-bounds write vulnerability (CWE-787) in Apple kernel code due to insufficient bounds checking. Local execution vector requiring app installation; successful exploitation grants kernel-level code execution. Fixed across iOS, iPadOS, macOS, tvOS, and watchOS platforms; active exploitation reported in the wild.

Summary generated and translated by AI from the official description.

An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in tvOS 15.5, watchOS 8.6, macOS Big Sur 11.6.6, macOS Monterey 12.3.1, iOS 15.4.1 and iPadOS 15.4.1. An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited..

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected products

Apple · iOS and iPadOS Apple · macOS Apple · watchOS

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://support.apple.com/en-us/HT213219 https://support.apple.com/en-us/HT213220 https://support.apple.com/en-us/HT213253 https://support.apple.com/en-us/HT213254 https://support.apple.com/en-us/HT213256 https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-22675