CVE-2022-46690
published 2022-12-15CVE-2022-46690: An out-of-bounds write issue was addressed with improved input validation. This issue is fixed in iOS 16.2 and iPadOS 16.2, macOS Ventura 13.1, tvOS 16.2…
PriorityP181high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
0.53%
40.9th percentile
An out-of-bounds write issue was addressed with improved input validation. This issue is fixed in iOS 16.2 and iPadOS 16.2, macOS Ventura 13.1, tvOS 16.2, watchOS 9.2. An app may be able to execute arbitrary code with kernel privileges.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | ios_16.2_and_ipados | — | — |
| apple | ipados | < 16.2 | 16.2 |
| apple | iphone_os | < 16.2 | 16.2 |
| apple | macos | < 13.1 | 13.1 |
| apple | macos_ventura | — | — |
| apple | tvos | < 16.2 | 16.2 |
| apple | tvos | >= unspecified < 16.2 | 16.2 |
| apple | tvos | >= unspecified < 13.1 | 13.1 |
| apple | tvos16.2 | — | — |
| apple | watchos | < 9.2 | 9.2 |
| apple | watchos | — | — |
| apple | watchos | >= unspecified < 9.2 | 9.2 |
Detection & IOCsextracted from sources · hover to see the quote
- →Correlate within a 1–3 minute window: modification of Library/SMS/Attachments subdirectory (with no attachment file present), followed by data usage of com.apple.WebKit.WebContent, followed by modification of com.apple.locationd.StatusBarIconManager.plist — this pattern indicates a successful zero-click iMessage compromise. ↗
- →On the network level, identify exploitation attempts by a sequence of HTTPS connection events, discoverable in netflow data enriched with DNS/TLS host information or PCAP dumps. ↗
- →The vulnerable component is IOMobileFrameBuffer across iOS/iPadOS, macOS, tvOS, and watchOS. Focus kernel-level exploit detection on out-of-bounds write attempts targeting this kernel extension. ↗
- ·The malicious toolset does not support persistence; devices may be reinfected after rebooting, so absence of indicators post-reboot does not confirm a clean device. ↗
- ·The malware includes code specifically designed to clear traces of compromise, though forensic indicators remain detectable via iTunes/idevicebackup2 backups and mvt-ios analysis. ↗
- ·If a new device was set up by migrating user data from a compromised older device, the iTunes backup will contain traces of compromise from both devices with correct timestamps — enabling retrospective detection. ↗
- ·Secondary indicators (plist modifications, WebKit data usage) are less reliable individually and should only be treated as IOCs when multiple occur within a timeframe of minutes. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vulncheck7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Apple
CVE-2022-46690: iOS 16.2 and iPadOS 16.2
vendor_apple·2022-12-13·CVSS 7.8
CVE-2022-46690 [HIGH] CVE-2022-46690: iOS 16.2 and iPadOS 16.2
Apple Security Update: About the security content of iOS 16.2 and iPadOS 16.2
Product: iOS 16.2 and iPadOS
Version: 16.2
CVE: CVE-2022-46690
Component: IOMobileFrameBuffer
Impact: An app may be able to execute arbitrary code with kernel privileges
Description: An out-of-bounds write issue was addressed with improved input validation.
Apple
CVE-2022-46690: tvOS16.2
vendor_apple·2022-12-13·CVSS 7.8
CVE-2022-46690 [HIGH] CVE-2022-46690: tvOS16.2
Apple Security Update: About the security content of tvOS16.2
Product: tvOS16.2
CVE: CVE-2022-46690
Component: IOMobileFrameBuffer
Impact: An app may be able to execute arbitrary code with kernel privileges
Description: An out-of-bounds write issue was addressed with improved input validation.
Apple
CVE-2022-46690: macOS Ventura 13.1
vendor_apple·2022-12-13·CVSS 7.8
CVE-2022-46690 [HIGH] CVE-2022-46690: macOS Ventura 13.1
Apple Security Update: About the security content of macOS Ventura 13.1
Product: macOS Ventura
Version: 13.1
CVE: CVE-2022-46690
Component: IOMobileFrameBuffer
Impact: An app may be able to execute arbitrary code with kernel privileges
Description: An out-of-bounds write issue was addressed with improved input validation.
Apple
CVE-2022-46690: watchOS 9.2
vendor_apple·2022-12-13·CVSS 7.8
CVE-2022-46690 [HIGH] CVE-2022-46690: watchOS 9.2
Apple Security Update: About the security content of watchOS 9.2
Product: watchOS
Version: 9.2
CVE: CVE-2022-46690
Component: IOMobileFrameBuffer
Impact: An app may be able to execute arbitrary code with kernel privileges
Description: An out-of-bounds write issue was addressed with improved input validation.
GHSA
GHSA-v86p-p58r-p852: An out-of-bounds write issue was addressed with improved input validation
ghsa_unreviewed·2022-12-15
CVE-2022-46690 [HIGH] CWE-787 GHSA-v86p-p58r-p852: An out-of-bounds write issue was addressed with improved input validation
An out-of-bounds write issue was addressed with improved input validation. This issue is fixed in iOS 16.2 and iPadOS 16.2, macOS Ventura 13.1, tvOS 16.2, watchOS 9.2. An app may be able to execute arbitrary code with kernel privileges.
VulnCheck
Apple ipados Out-of-bounds Write
vulncheck·2022·CVSS 7.8
CVE-2022-46690 [HIGH] Apple ipados Out-of-bounds Write
Apple ipados Out-of-bounds Write
An out-of-bounds write issue was addressed with improved input validation. This issue is fixed in iOS 16.2 and iPadOS 16.2, macOS Ventura 13.1, tvOS 16.2, watchOS 9.2. An app may be able to execute arbitrary code with kernel privileges.
Affected: Apple ipados
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://securelist.com/operation-triangulation/109842/; https://go.recordedfuture.com/hubfs/reports/CTA-2024-0416.pdf
No detection rules found.
No public exploits indexed.
http://seclists.org/fulldisclosure/2022/Dec/20http://seclists.org/fulldisclosure/2022/Dec/23http://seclists.org/fulldisclosure/2022/Dec/26http://seclists.org/fulldisclosure/2022/Dec/27https://support.apple.com/en-us/HT213530https://support.apple.com/en-us/HT213532https://support.apple.com/en-us/HT213535https://support.apple.com/en-us/HT213536http://seclists.org/fulldisclosure/2022/Dec/20http://seclists.org/fulldisclosure/2022/Dec/23http://seclists.org/fulldisclosure/2022/Dec/26http://seclists.org/fulldisclosure/2022/Dec/27https://support.apple.com/en-us/HT213530https://support.apple.com/en-us/HT213532https://support.apple.com/en-us/HT213535https://support.apple.com/en-us/HT213536
2022-12-15
Published
Exploited in the wild