CVE-2022-42842
Published: 15 December 2022
Summary
CVE-2022-42842 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Apple Macos. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 11.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2022-42842 is an out-of-bounds write vulnerability (CWE-787) stemming from insufficient memory handling in the kernel. It affects multiple Apple operating systems, including iOS 16 and iPadOS 16 prior to 16.2, macOS Monterey prior to 12.6.2, macOS Ventura prior to 13.1, macOS Big Sur prior to 11.7.2, tvOS prior to 16.2, and watchOS prior to 9.2. The flaw received a CVSS 3.1 score of 9.8, reflecting network-accessible attack vectors with no required authentication or user interaction.
A remote attacker can exploit the issue to achieve arbitrary kernel code execution, potentially leading to full system compromise with impacts on confidentiality, integrity, and availability. Because the vulnerability resides in kernel memory handling and requires no privileges, it can be triggered directly over the network against unpatched devices.
Apple addressed the flaw through improved memory handling in the versions listed above. Corresponding security updates were published via the referenced Full Disclosure advisories in December 2022, directing administrators to apply the patches to eliminate the remote code execution path. The associated EPSS score has remained low, with a modest peak of 0.0531 that has since receded to 0.0384.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-45905
Vulnerability details
The issue was addressed with improved memory handling. This issue is fixed in tvOS 16.2, macOS Monterey 12.6.2, macOS Ventura 13.1, macOS Big Sur 11.7.2, iOS 16.2 and iPadOS 16.2, watchOS 9.2. A remote user may be able to cause…
more
kernel code execution.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.