CVE-2022-22587
published 2022-03-18CVE-2022-22587: A memory corruption issue was addressed with improved input validation. This issue is fixed in iOS 15.3 and iPadOS 15.3, macOS Big Sur 11.6.3, macOS Monterey…
PriorityP185critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2022-02-11
Exploited in the wild
EPSS
11.64%
95.5th percentile
A memory corruption issue was addressed with improved input validation. This issue is fixed in iOS 15.3 and iPadOS 15.3, macOS Big Sur 11.6.3, macOS Monterey 12.2. A malicious application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited..
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | ios_15.3_and_ipados | — | — |
| apple | ios_and_ipados | >= unspecified < 15.3 | 15.3 |
| apple | ipados | < 15.3 | 15.3 |
| apple | iphone_os | < 15.3 | 15.3 |
| apple | macos | < 11.6.3 | 11.6.3 |
| apple | macos | >= 12.0 < 12.2 | 12.2 |
| apple | macos | >= unspecified < 12.2 | 12.2 |
| apple | macos | >= unspecified < 11.6 | 11.6 |
| apple | macos_big_sur | — | — |
| apple | macos_monterey | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerable component is IOMobileFrameBuffer — monitor for malicious applications interacting with this kernel extension on iOS/iPadOS and macOS ↗
- →CVE-2022-22587 was actively exploited in the wild as a zero-day; treat any unpatched iOS/iPadOS 15.x or macOS (Big Sur <11.6.3, Monterey <12.2) device as high-risk and prioritise detection of privilege-escalation to kernel from user-space applications ↗
- →The vulnerability is a memory corruption flaw triggered via malformed input to IOMobileFrameBuffer; detection should focus on unexpected kernel-privilege execution originating from sandboxed or third-party applications ↗
- ·Affected products span multiple Apple OS families; ensure patch-level checks cover all three: iOS/iPadOS 15.3, macOS Big Sur 11.6.3, and macOS Monterey 12.2 ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Project0
2022 0-day In-the-Wild Exploitation…so far - Project Zero
project_zero·2022-06-01·CVSS 8.8
CVE-2016-5128 [HIGH] 2022 0-day In-the-Wild Exploitation…so far - Project Zero
Posted by Maddie Stone, Google Project Zero
This blog post is an overview of a talk, “ 0-day In-the-Wild Exploitation in 2022…so far”, that I gave at the FIRST conference in June 2022. The slides are available here.
For the last three years, we’ve published annual year-in-review reports of 0-days found exploited in the wild. The most recent of these reports is the 2021 Year in Review report, which we published just a few months ago in April. While we plan to stick with that annual cadence, we’re publishing a little bonus report today looking at the in-the-wild 0-days detected and disclosed in the first half of 2022.
As of June 15, 2022, there have been 18 0-days detected and disclosed as exploited in-the-wild in 2022. When we analyzed those 0-days, we found that at least nin
Project0
The More You Know, The More You Know You Don’t Know - Project Zero
project_zero·2022-04-01
CVE-2016-4654 The More You Know, The More You Know You Don’t Know - Project Zero
A Year in Review of 0-days Used In-the-Wild in 2021
Posted by Maddie Stone, Google Project Zero
This is our third annual year in review of 0-days exploited in-the-wild [2020, 2019]. Each year we’ve looked back at all of the detected and disclosed in-the-wild 0-days as a group and synthesized what we think the trends and takeaways are. The goal of this report is not to detail each individual exploit, but instead to analyze the exploits from the year as a group, looking for trends, gaps, lessons learned, successes, etc. If you’re interested in the analysis of individual exploits, please check out our root cause analysis repository.
We perform and share this analysis in order to make 0-day hard. We want it to be more costly, more resource intensive, and overall more difficult for
GHSA
GHSA-p75p-vc6x-p9wf: A memory corruption issue was addressed with improved input validation
ghsa_unreviewed·2022-03-19
CVE-2022-22587 [CRITICAL] CWE-787 GHSA-p75p-vc6x-p9wf: A memory corruption issue was addressed with improved input validation
A memory corruption issue was addressed with improved input validation. This issue is fixed in iOS 15.3 and iPadOS 15.3, macOS Big Sur 11.6.3, macOS Monterey 12.2. A malicious application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited..
VulnCheck
Apple Memory Corruption Vulnerability
vulncheck·2022·CVSS 9.8
CVE-2022-22587 [CRITICAL] CWE-20 Apple Memory Corruption Vulnerability
Apple Memory Corruption Vulnerability
Apple IOMobileFrameBuffer contains a memory corruption vulnerability which can allow a malicious application to execute arbitrary code with kernel privileges.
Affected: Apple iOS and macOS
Required Action: Apply updates per vendor instructions.
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://support.apple.com/kb/HT213053; https://support.apple.com/kb/HT213054; https://support.apple.com/kb/HT213055; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://raw.githubusercontent.com/blackorbird/APT_REPORT/master/summary/2023/360_APT_Annual_Research_Report_2022.pdf; https://resources.jamf.com/documents/technical-papers/Coldintro-Coldinvite-Mys
CISA
Apple Memory Corruption Vulnerability
cisa·2022-01-28·CVSS 9.8
CVE-2022-22587 [CRITICAL] CWE-20 Apple Memory Corruption Vulnerability
Vulnerability: Apple Memory Corruption Vulnerability
Affected: Apple iOS and macOS
Apple IOMobileFrameBuffer contains a memory corruption vulnerability which can allow a malicious application to execute arbitrary code with kernel privileges.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2022-22587
Remediation Due Date: 2022-02-11
Apple
CVE-2022-22587: iOS 15.3 and iPadOS 15.3
vendor_apple·2022-01-26·CVSS 9.8
CVE-2022-22587 [CRITICAL] CVE-2022-22587: iOS 15.3 and iPadOS 15.3
Apple Security Update: About the security content of iOS 15.3 and iPadOS 15.3
Product: iOS 15.3 and iPadOS
Version: 15.3
CVE: CVE-2022-22587
Component: IOMobileFrameBuffer
Impact: A malicious application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.
Description: A memory corruption issue was addressed with improved input validation.
Apple
CVE-2022-22587: macOS Monterey 12.2
vendor_apple·2022-01-26·CVSS 9.8
CVE-2022-22587 [CRITICAL] CVE-2022-22587: macOS Monterey 12.2
Apple Security Update: About the security content of macOS Monterey 12.2
Product: macOS Monterey
Version: 12.2
CVE: CVE-2022-22587
Component: IOMobileFrameBuffer
Impact: A malicious application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.
Description: A memory corruption issue was addressed with improved input validation.
Apple
CVE-2022-22587: macOS Big Sur 11.6.3
vendor_apple·2022-01-26·CVSS 9.8
CVE-2022-22587 [CRITICAL] CVE-2022-22587: macOS Big Sur 11.6.3
Apple Security Update: About the security content of macOS Big Sur 11.6.3
Product: macOS Big Sur
Version: 11.6.3
CVE: CVE-2022-22587
Component: IOMobileFrameBuffer
Impact: A malicious application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.
Description: A memory corruption issue was addressed with improved input validation.
No detection rules found.
No public exploits indexed.
Sentinelone
10 Assumptions About macOS Security That Put Your Business At Risk
blogs_sentinelone·2022-02-07
10 Assumptions About macOS Security That Put Your Business At Risk
Macs are great, aren’t they? I have many. Aside from the two provided by my employer, I have five working Macs of my own, ranging from 2009 to 2021. I also run macOS on a number of virtual machines for research purposes. In fact, give me a few minutes and I could spin you up an instance of any version of macOS from 10.5.8 Leopard (circa 2008!) right through to the latest beta of macOS 12 Monterey. Yep, I’m an Apple nerd, a Mac geek, a macOS enthusiast, and I’ve spent over a decade now learning how Macs and macOS work. I’m also a Mac security researcher and having a catalogue of older versions of macOS is part of my arsenal of tools when it comes to understanding how to keep Macs and Mac users safe.
Most of my work nowadays revolves around identifying, tracking, and understanding Mac malwa
Sentinelone
10 Assumptions About macOS Security That Put Your Business At Risk
blogs_sentinelone·2022-02-07
10 Assumptions About macOS Security That Put Your Business At Risk
Macs are great, aren’t they? I have many. Aside from the two provided by my employer, I have five working Macs of my own, ranging from 2009 to 2021. I also run macOS on a number of virtual machines for research purposes. In fact, give me a few minutes and I could spin you up an instance of any version of macOS from 10.5.8 Leopard (circa 2008!) right through to the latest beta of macOS 12 Monterey. Yep, I’m an Apple nerd, a Mac geek, a macOS enthusiast, and I’ve spent over a decade now learning how Macs and macOS work. I’m also a Mac security researcher and having a catalogue of older versions of macOS is part of my arsenal of tools when it comes to understanding how to keep Macs and Mac users safe.
Most of my work nowadays revolves around identifying, tracking, and understanding Mac malwa
Checkpoint
31st January– Threat Intelligence Report
blogs_checkpoint·2022-01-31
CVE-2021-20038 31st January– Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 31st January– Threat Intelligence Report
For the latest discoveries in cyber research for the week of 31st January, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
Hacktivist group from Belarus called “Belarusian Cyber Partisans” has breached the computers systems of Belarusian Railways. Threat actors claim to have encrypted the network and are extorting the Belarusian government, asking for the release of 50 political prisoners and a pledge from Belarussian Railways to halt transpor
https://support.apple.com/en-us/HT213053https://support.apple.com/en-us/HT213054https://support.apple.com/en-us/HT213055https://support.apple.com/en-us/HT213053https://support.apple.com/en-us/HT213054https://support.apple.com/en-us/HT213055https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-22587
2022-03-18
Published
2022-01-28
Added to CISA KEV
Exploited in the wild