CVE-2022-42856
Published: 15 December 2022
Summary
CVE-2022-42856 is a high-severity Type Confusion (CWE-843) vulnerability in Apple Iphone Os. Its CVSS base score is 8.8 (High).
Operationally, ranked at the 35.7th percentile by exploit likelihood (below the median); CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-18 (Mobile Code).
Deeper analysis
A type confusion vulnerability addressed through improved state handling affects multiple Apple platforms including Safari, iOS, iPadOS, tvOS, and macOS. The flaw resides in the handling of web content and is fixed in Safari 16.2, iOS 15.7.2, iPadOS 15.7.2, iOS 16.1.2, tvOS 16.2, and macOS Ventura 13.1. Successful exploitation of maliciously crafted web content can result in arbitrary code execution, as reflected in the CVSS 8.8 rating for network-accessible attacks requiring user interaction.
An attacker can deliver malicious web content to a victim through a browser or web-enabled application on the affected platforms. If the target processes the content, the type confusion issue may be triggered to achieve code execution within the context of the vulnerable process, potentially allowing full compromise of the device or browser session.
Apple security updates released in December 2022 remediate the issue by updating the listed platform versions, with full advisories published via the referenced seclists.org disclosures. Users are advised to apply the patches promptly to eliminate the exposure.
Apple has stated that the vulnerability may have been actively exploited in the wild against iOS versions prior to 15.1. The associated EPSS score rose materially from a low baseline to a peak of 0.0281 shortly after disclosure on 2023-01-01 before receding, indicating a temporary increase in observed exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-45919
Vulnerability details
A type confusion issue was addressed with improved state handling. This issue is fixed in Safari 16.2, tvOS 16.2, macOS Ventura 13.1, iOS 15.7.2 and iPadOS 15.7.2, iOS 16.1.2. Processing maliciously crafted web content may lead to arbitrary code execution.…
more
Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.1..
- CWE(s)
- KEV Date Added
- 14 December 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of vendor patches that remediate the WebKit type-confusion flaw before exploitation.
Restricts or sandbox-executes mobile code (scripts, renderers) delivered via web content, limiting the attack surface that reaches the vulnerable WebKit state machine.
Implements memory-protection safeguards that block unauthorized code execution resulting from the type-confusion condition.