⚠ Actively exploited

Added to CISA KEV on 2022-09-14. Federal agencies required to patch by 2022-10-05. Required action: Apply updates per vendor instructions..

CVE-2022-32917

CWE-787 — Out-of-bounds Write CWE-20 — Improper Input Validation10 documents7 sources

Severity

7.8HIGH

EPSS

0.5%

top 33.12%

CISA KEV

KEV

Added 2022-09-14

Due 2022-10-05

Exploit

Exploited in wild

Active exploitation observed

Affected products

Apple IOS Apple Macos Apple Ipados +1 more

Timeline

KEV addedSep 14

PublishedSep 20

Latest updateSep 21

KEV dueOct 5

CISA Required Action: Apply updates per vendor instructions.

Description

The issue was addressed with improved bounds checks. This issue is fixed in macOS Monterey 12.6, iOS 15.7 and iPadOS 15.7, iOS 16, macOS Big Sur 11.7. An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited..

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages5 packages

▶CVEListV5apple/macosunspecified — 11.7+2

▶NVDapple/macos11.0 — 11.7+1

▶NVDapple/ipados< 15.7

▶CVEListV5apple/iosunspecified — 16

▶NVDapple/iphone_os< 15.7

🔴Vulnerability Details

GHSA

GHSA-fffx-3h8f-f943: The issue was addressed with improved bounds checks↗2022-09-21

▶

CVEList

CVE-2022-32917: The issue was addressed with improved bounds checks↗2022-09-20

▶

VulnCheck

Apple iOS, iPadOS, and macOS Remote Code Execution Vulnerability↗2022

▶

Project0

Project Zero RCA: CVE-2022-32917: AppleSPU out of bounds write↗

▶

📋Vendor Advisories

CISA

Apple iOS, iPadOS, and macOS Remote Code Execution Vulnerability↗2022-09-14

▶

Apple

CVE-2022-32917: iOS 15.7 and iPadOS 15.7↗2022-09-12

▶

Apple

CVE-2022-32917: macOS Big Sur 11.7↗2022-09-12

▶

Apple

CVE-2022-32917: iOS 16↗2022-09-12

▶

Apple

CVE-2022-32917: macOS Monterey 12.6↗2022-09-12

▶