CVE-2022-42856
CVE-2022-42856
In short
A type confusion vulnerability in Apple's web rendering engine allows attackers to execute arbitrary code by tricking the system into misidentifying data types while processing malicious web content. This is particularly dangerous because Apple confirmed it was actively exploited in real-world attacks.
Technical detail
Type confusion vulnerability (CWE-843) in WebKit's state handling mechanism; exploitation requires processing attacker-controlled web content, leading to memory corruption and arbitrary code execution. Fixed through improved type validation and state management across Safari, iOS, iPadOS, tvOS, and macOS.
Summary generated and translated by AI from the official description.
A type confusion issue was addressed with improved state handling. This issue is fixed in Safari 16.2, tvOS 16.2, macOS Ventura 13.1, iOS 15.7.2 and iPadOS 15.7.2, iOS 16.1.2. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.1..
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected products
Apple · tvOSWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
http://seclists.org/fulldisclosure/2022/Dec/21http://seclists.org/fulldisclosure/2022/Dec/22http://seclists.org/fulldisclosure/2022/Dec/23http://seclists.org/fulldisclosure/2022/Dec/26http://seclists.org/fulldisclosure/2022/Dec/28https://security.gentoo.org/glsa/202305-32https://support.apple.com/en-us/HT213516https://support.apple.com/en-us/HT213531https://support.apple.com/en-us/HT213532https://support.apple.com/en-us/HT213535https://support.apple.com/en-us/HT213537https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-42856