Cyber Resilience

CVE-2022-32893

HighCISA KEVActive ExploitationEUVD Exploited

Published: 24 August 2022

Published
24 August 2022
Modified
23 October 2025
KEV Added
18 August 2022
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0009 25.2th percentile
Risk Priority 38 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-32893 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Fedoraproject Fedora. Its CVSS base score is 8.8 (High).

Operationally, ranked at the 25.2th percentile by exploit likelihood (below the median); CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

An out-of-bounds write vulnerability (CWE-787) exists in WebKit and was addressed through improved bounds checking. The issue affects Safari on macOS Monterey prior to 12.5.1, as well as iOS and iPadOS prior to 15.6.1; processing maliciously crafted web content can trigger arbitrary code execution. The flaw carries a CVSS 3.1 score of 8.8 with network attack vector, low complexity, and no required privileges beyond user interaction such as visiting a crafted page.

An attacker can exploit the flaw remotely by serving malicious web content that triggers the out-of-bounds write, achieving arbitrary code execution on the target device. Apple has stated that the vulnerability may have been actively exploited in the wild at the time of disclosure.

Updates to iOS 15.6.1, iPadOS 15.6.1, macOS Monterey 12.5.1, and Safari 15.6.1 resolve the issue. The associated EPSS score rose from a low baseline to a peak of 0.0310 in late 2024 before receding, indicating a period of increased exploitation interest well after initial disclosure.

EU & UK References

Vulnerability details

An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS 15.6.1 and iPadOS 15.6.1, macOS Monterey 12.5.1, Safari 15.6.1. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of…

more

a report that this issue may have been actively exploited.

CWE(s)
KEV Date Added
18 August 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apple
safari
≤ 15.6.1
apple
ipados
≤ 15.6.1
apple
iphone os
≤ 15.6.1
apple
macos
12.0 — 12.5.1
fedoraproject
fedora
35, 36
debian
debian linux
10.0, 11.0
webkitgtk
webkitgtk
≤ 2.36.7
wpewebkit
wpe webkit
≤ 2.36.7

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of the vendor patches that added the improved bounds checking fixing the out-of-bounds write.

prevent

Requires validation of externally supplied web content to enforce proper bounds checking and thereby block the out-of-bounds write.

prevent

Implements memory-protection mechanisms that can block exploitation of the memory corruption even if the bounds flaw is triggered.

References