CVE-2022-42827 is the eighth kernel level flaw so far this year for which Apple has released a patch only after active exploitation was underway [277 words].
What: CISA has added a newly disclosed vulnerability (CVE-2022-42827) in different versions of iOS and iPadOS, to its catalog of Known Exploited Vulnerabilities. US federal civilian executive branch agencies have until Nov. 15 to update to the newly patched versions of the software—iOS 16.1 and/or iPadOS 16.
CVE-2022-42827 was one of 20 vulnerabilities that Apple addressed on October 24 with the release of iOS 16.1 and iPadOS 16.
CVE-2022-42827 is an out-of-bounds write (memory corruption) issue (CWE-787) that gives attackers a way to execute arbitrary code with kernel level privileges on vulnerable systems. Apple said it is aware of at least one report about attackers actively exploiting the vulnerability in the wild. Apple credited the bug discovery to an anonymous researcher and said it had addressed the issue with improved bounds checking in the newly updated versions of iOS and iPadOS.
The vulnerability is the eight kernel-level, zero-day vulnerability that Apple has disclosed so far in 2022. “This, as well as previously disclosed kernel exploits, continue to show a trend in the kernel becoming a comfortable place for threat actors to uncover new attack vectors,” security vendor Nuclear Security said. It recommended that organizations ensure workers using personal devices for work update their devices as frequently as possible.
Apple’s October 24 update included fixes for two other kernel level bugs– CVE-2022-32924 and CVE-2022-42808.
The details
Apple vulnerability disclosure
CISA Known Exploited Vulnerabilities catalog