cbcvebase.
CVE-2022-46690
published 2022-12-15

CVE-2022-46690: An out-of-bounds write issue was addressed with improved input validation. This issue is fixed in iOS 16.2 and iPadOS 16.2, macOS Ventura 13.1, tvOS 16.2…

PriorityP181high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
0.53%
40.9th percentile
An out-of-bounds write issue was addressed with improved input validation. This issue is fixed in iOS 16.2 and iPadOS 16.2, macOS Ventura 13.1, tvOS 16.2, watchOS 9.2. An app may be able to execute arbitrary code with kernel privileges.

Affected

12 ranges
VendorProductVersion rangeFixed in
appleios_16.2_and_ipados
appleipados< 16.216.2
appleiphone_os< 16.216.2
applemacos< 13.113.1
applemacos_ventura
appletvos< 16.216.2
appletvos>= unspecified < 16.216.2
appletvos>= unspecified < 13.113.1
appletvos16.2
applewatchos< 9.29.2
applewatchos
applewatchos>= unspecified < 9.29.2

Detection & IOCsextracted from sources · hover to see the quote

pathLibrary/Preferences/com.apple.ImageIO.plist
pathLibrary/Preferences/com.apple.locationd.StatusBarIconManager.plist
pathLibrary/Preferences/com.apple.imservice.ids.FaceTime.plist
pathcom.apple.softwareupdateservicesd.plist
  • Correlate within a 1–3 minute window: modification of Library/SMS/Attachments subdirectory (with no attachment file present), followed by data usage of com.apple.WebKit.WebContent, followed by modification of com.apple.locationd.StatusBarIconManager.plist — this pattern indicates a successful zero-click iMessage compromise.
  • On the network level, identify exploitation attempts by a sequence of HTTPS connection events, discoverable in netflow data enriched with DNS/TLS host information or PCAP dumps.
  • The vulnerable component is IOMobileFrameBuffer across iOS/iPadOS, macOS, tvOS, and watchOS. Focus kernel-level exploit detection on out-of-bounds write attempts targeting this kernel extension.
  • ·The malicious toolset does not support persistence; devices may be reinfected after rebooting, so absence of indicators post-reboot does not confirm a clean device.
  • ·The malware includes code specifically designed to clear traces of compromise, though forensic indicators remain detectable via iTunes/idevicebackup2 backups and mvt-ios analysis.
  • ·If a new device was set up by migrating user data from a compromised older device, the iTunes backup will contain traces of compromise from both devices with correct timestamps — enabling retrospective detection.
  • ·Secondary indicators (plist modifications, WebKit data usage) are less reliable individually and should only be treated as IOCs when multiple occur within a timeframe of minutes.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vulncheck7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.