Cyber Resilience

CVE-2022-42856

HighCISA KEVActive ExploitationEUVD Exploited

Published: 15 December 2022

Published
15 December 2022
Modified
23 October 2025
KEV Added
14 December 2022
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0015 35.7th percentile
Risk Priority 38 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-42856 is a high-severity Type Confusion (CWE-843) vulnerability in Apple Iphone Os. Its CVSS base score is 8.8 (High).

Operationally, ranked at the 35.7th percentile by exploit likelihood (below the median); CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-18 (Mobile Code).

Deeper analysis

A type confusion vulnerability addressed through improved state handling affects multiple Apple platforms including Safari, iOS, iPadOS, tvOS, and macOS. The flaw resides in the handling of web content and is fixed in Safari 16.2, iOS 15.7.2, iPadOS 15.7.2, iOS 16.1.2, tvOS 16.2, and macOS Ventura 13.1. Successful exploitation of maliciously crafted web content can result in arbitrary code execution, as reflected in the CVSS 8.8 rating for network-accessible attacks requiring user interaction.

An attacker can deliver malicious web content to a victim through a browser or web-enabled application on the affected platforms. If the target processes the content, the type confusion issue may be triggered to achieve code execution within the context of the vulnerable process, potentially allowing full compromise of the device or browser session.

Apple security updates released in December 2022 remediate the issue by updating the listed platform versions, with full advisories published via the referenced seclists.org disclosures. Users are advised to apply the patches promptly to eliminate the exposure.

Apple has stated that the vulnerability may have been actively exploited in the wild against iOS versions prior to 15.1. The associated EPSS score rose materially from a low baseline to a peak of 0.0281 shortly after disclosure on 2023-01-01 before receding, indicating a temporary increase in observed exploitation interest.

EU & UK References

Vulnerability details

A type confusion issue was addressed with improved state handling. This issue is fixed in Safari 16.2, tvOS 16.2, macOS Ventura 13.1, iOS 15.7.2 and iPadOS 15.7.2, iOS 16.1.2. Processing maliciously crafted web content may lead to arbitrary code execution.…

more

Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.1..

CWE(s)
KEV Date Added
14 December 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apple
safari
≤ 16.2
apple
ipados
≤ 15.7.2
apple
iphone os
≤ 15.7.2 · 16.0 — 16.1.2
apple
macos
≤ 13.1
apple
tvos
≤ 16.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of vendor patches that remediate the WebKit type-confusion flaw before exploitation.

SC-18 Mobile Code partial match
prevent

Restricts or sandbox-executes mobile code (scripts, renderers) delivered via web content, limiting the attack surface that reaches the vulnerable WebKit state machine.

prevent

Implements memory-protection safeguards that block unauthorized code execution resulting from the type-confusion condition.

References