CVE-2022-22620
Published: 18 March 2022
Summary
CVE-2022-22620 is a high-severity Use After Free (CWE-416) vulnerability in Apple Safari. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 11.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
A use after free vulnerability addressed through improved memory management affects WebKit in Safari 15.3 and earlier, as well as the corresponding web content rendering components in macOS Monterey prior to 12.2.1, iOS prior to 15.3.1, and iPadOS prior to 15.3.1. The flaw is tracked as CWE-416 and carries a CVSS 3.1 score of 8.8, reflecting network attack vectors that require no privileges but do involve user interaction.
An attacker can exploit the issue by serving maliciously crafted web content that triggers the use-after-free condition during rendering, resulting in arbitrary code execution within the context of the affected process. Because the vector is web content, exploitation can occur when a user visits a compromised or attacker-controlled site in an unpatched browser or application embedding WebKit.
Apple security updates HT213091, HT213092, and HT213093, along with corresponding Gentoo advisories, direct users to install the fixed versions of macOS Monterey 12.2.1, iOS 15.3.1, iPadOS 15.3.1, and Safari 15.3 to remediate the flaw.
Apple has stated that the vulnerability may have been actively exploited in the wild at the time of disclosure. The associated EPSS score rose materially from low values after publication to a peak of 0.1817 on 2023-01-01 before receding to the current 0.0402, indicating that exploitation interest increased post-disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-27765
Vulnerability details
A use after free issue was addressed with improved memory management. This issue is fixed in macOS Monterey 12.2.1, iOS 15.3.1 and iPadOS 15.3.1, Safari 15.3 (v. 16612.4.9.1.8 and 15612.4.9.1.8). Processing maliciously crafted web content may lead to arbitrary code…
more
execution. Apple is aware of a report that this issue may have been actively exploited..
- CWE(s)
- KEV Date Added
- 11 February 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of the vendor patches (macOS 12.2.1, iOS 15.3.1, Safari 15.3) that remediate the use-after-free flaw before exploitation occurs.
Mandates memory-protection mechanisms that prevent use-after-free conditions during WebKit rendering of malicious web content.
Requires control over mobile code (JavaScript/WebKit content) to block or sandbox untrusted web pages that trigger the arbitrary-code-execution path.