Cyber Resilience

CVE-2022-22620

HighCISA KEVActive ExploitationEUVD Exploited

Published: 18 March 2022

Published
18 March 2022
Modified
23 October 2025
KEV Added
11 February 2022
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0402 88.7th percentile
Risk Priority 40 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-22620 is a high-severity Use After Free (CWE-416) vulnerability in Apple Safari. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 11.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

A use after free vulnerability addressed through improved memory management affects WebKit in Safari 15.3 and earlier, as well as the corresponding web content rendering components in macOS Monterey prior to 12.2.1, iOS prior to 15.3.1, and iPadOS prior to 15.3.1. The flaw is tracked as CWE-416 and carries a CVSS 3.1 score of 8.8, reflecting network attack vectors that require no privileges but do involve user interaction.

An attacker can exploit the issue by serving maliciously crafted web content that triggers the use-after-free condition during rendering, resulting in arbitrary code execution within the context of the affected process. Because the vector is web content, exploitation can occur when a user visits a compromised or attacker-controlled site in an unpatched browser or application embedding WebKit.

Apple security updates HT213091, HT213092, and HT213093, along with corresponding Gentoo advisories, direct users to install the fixed versions of macOS Monterey 12.2.1, iOS 15.3.1, iPadOS 15.3.1, and Safari 15.3 to remediate the flaw.

Apple has stated that the vulnerability may have been actively exploited in the wild at the time of disclosure. The associated EPSS score rose materially from low values after publication to a peak of 0.1817 on 2023-01-01 before receding to the current 0.0402, indicating that exploitation interest increased post-disclosure.

EU & UK References

Vulnerability details

A use after free issue was addressed with improved memory management. This issue is fixed in macOS Monterey 12.2.1, iOS 15.3.1 and iPadOS 15.3.1, Safari 15.3 (v. 16612.4.9.1.8 and 15612.4.9.1.8). Processing maliciously crafted web content may lead to arbitrary code…

more

execution. Apple is aware of a report that this issue may have been actively exploited..

CWE(s)
KEV Date Added
11 February 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apple
safari
≤ 15.3
apple
ipados
≤ 15.3.1
apple
iphone os
≤ 15.3.1
apple
macos
12.0.0 — 12.2.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of the vendor patches (macOS 12.2.1, iOS 15.3.1, Safari 15.3) that remediate the use-after-free flaw before exploitation occurs.

prevent

Mandates memory-protection mechanisms that prevent use-after-free conditions during WebKit rendering of malicious web content.

SC-18 Mobile Code partial match
prevent

Requires control over mobile code (JavaScript/WebKit content) to block or sandbox untrusted web pages that trigger the arbitrary-code-execution path.

References