CVE-2022-32893
Published: 24 August 2022
Summary
CVE-2022-32893 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Fedoraproject Fedora. Its CVSS base score is 8.8 (High).
Operationally, ranked at the 25.2th percentile by exploit likelihood (below the median); CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
An out-of-bounds write vulnerability (CWE-787) exists in WebKit and was addressed through improved bounds checking. The issue affects Safari on macOS Monterey prior to 12.5.1, as well as iOS and iPadOS prior to 15.6.1; processing maliciously crafted web content can trigger arbitrary code execution. The flaw carries a CVSS 3.1 score of 8.8 with network attack vector, low complexity, and no required privileges beyond user interaction such as visiting a crafted page.
An attacker can exploit the flaw remotely by serving malicious web content that triggers the out-of-bounds write, achieving arbitrary code execution on the target device. Apple has stated that the vulnerability may have been actively exploited in the wild at the time of disclosure.
Updates to iOS 15.6.1, iPadOS 15.6.1, macOS Monterey 12.5.1, and Safari 15.6.1 resolve the issue. The associated EPSS score rose from a low baseline to a peak of 0.0310 in late 2024 before receding, indicating a period of increased exploitation interest well after initial disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-35959
Vulnerability details
An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS 15.6.1 and iPadOS 15.6.1, macOS Monterey 12.5.1, Safari 15.6.1. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of…
more
a report that this issue may have been actively exploited.
- CWE(s)
- KEV Date Added
- 18 August 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of the vendor patches that added the improved bounds checking fixing the out-of-bounds write.
Requires validation of externally supplied web content to enforce proper bounds checking and thereby block the out-of-bounds write.
Implements memory-protection mechanisms that can block exploitation of the memory corruption even if the bounds flaw is triggered.