CVE-2022-46689

CVSS 7 HIGHEPSS 43.1%CWE-362

In short

A race condition in Apple's operating systems allows an app to execute code with kernel-level privileges, potentially giving it complete control over the device. This is a serious vulnerability because kernel privileges grant the deepest access possible to a system.

Technical detail

A race condition (CWE-362) in iOS, macOS, tvOS, watchOS, and iPadOS allows a local app to achieve arbitrary code execution with kernel privileges through a time-of-check to time-of-use (TOCTOU) vulnerability. Exploitation requires the attacker to run code on the target device; successful exploitation results in complete system compromise.

Summary generated and translated by AI from the official description.

A race condition was addressed with additional validation. This issue is fixed in tvOS 16.2, macOS Monterey 12.6.2, macOS Ventura 13.1, macOS Big Sur 11.7.2, iOS 15.7.2 and iPadOS 15.7.2, iOS 16.2 and iPadOS 16.2, watchOS 9.2. An app may be able to execute arbitrary code with kernel privileges.

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected products

Apple · macOS Apple · tvOS Apple · watchOS

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

http://seclists.org/fulldisclosure/2022/Dec/20 http://seclists.org/fulldisclosure/2022/Dec/21 http://seclists.org/fulldisclosure/2022/Dec/23 http://seclists.org/fulldisclosure/2022/Dec/24 http://seclists.org/fulldisclosure/2022/Dec/25 http://seclists.org/fulldisclosure/2022/Dec/26 http://seclists.org/fulldisclosure/2022/Dec/27 https://support.apple.com/en-us/HT213530 https://support.apple.com/en-us/HT213531 https://support.apple.com/en-us/HT213532 https://support.apple.com/en-us/HT213533 https://support.apple.com/en-us/HT213534