cbcvebase.
CVE-2022-42827
published 2022-11-01

CVE-2022-42827: An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS 15.7.1 and iPadOS 15.7.1, iOS 16.1 and iPadOS 16. An…

PriorityP182high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2022-11-15
Exploited in the wild
EPSS
1.14%
62.5th percentile
An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS 15.7.1 and iPadOS 15.7.1, iOS 16.1 and iPadOS 16. An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited..

Affected

7 ranges
VendorProductVersion rangeFixed in
appleios_15.7.1_and_ipados
appleios_16.1_and_ipados
appleios_and_ipados>= unspecified < 16.116.1
appleios_and_ipados>= unspecified < 15.715.7
appleipados< 15.7.115.7.1
appleiphone_os< 15.7.115.7.1
appleiphone_os>= 16.0 < 16.116.1

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2022-42827 is an out-of-bounds write in the iOS/iPadOS Kernel exploitable via an attacker-controlled app to achieve kernel code execution; monitor for suspicious app-level processes attempting kernel privilege escalation on iOS 15.x/16.x devices prior to patched versions.
  • This is the third consecutive Kernel out-of-bounds memory vulnerability patched by Apple; correlate with prior in-the-wild exploitation of sibling CVEs CVE-2022-32894 and CVE-2022-32917 to identify threat actor patterns targeting Apple kernel memory.
  • Apple confirmed active exploitation in the wild; treat any unpatched iOS/iPadOS device (pre-iOS 15.7.1 / pre-iOS 16.1 / pre-iPadOS 16) as actively at risk and prioritize detection of kernel-privilege anomalies on those versions.
  • CISA mandated remediation by 2022-11-15; use MDM/EDM telemetry to identify unpatched Apple iOS and iPadOS endpoints still running vulnerable versions as a detection/triage signal.
  • ·The vulnerability is in the Kernel component; exploitation requires delivery via an attacker-controlled application, meaning the initial attack vector is app-layer (not network-facing), limiting network-based detection opportunities.
  • ·No public exploit code, malware samples, hashes, C2 infrastructure, or specific attacker tooling were disclosed in any of the sources; IOC-based detection is not currently possible from available intelligence.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vulncheck7.8HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.