Cyber Resilience

CVE-2024-23222

HighCISA KEVActive ExploitationEUVD Exploited

Published: 23 January 2024

Published
23 January 2024
Modified
03 April 2026
KEV Added
23 January 2024
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0060 70.0th percentile
Risk Priority 38 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-23222 is a high-severity Type Confusion (CWE-843) vulnerability in Apple Ipados. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked in the top 30.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

A type confusion vulnerability addressed through improved input validation affects WebKit in multiple Apple platforms. Impacted software includes Safari 17.3 along with iOS 15.8.7, iPadOS 15.8.7, iOS 16.7.5, iPadOS 16.7.5, iOS 17.3, iPadOS 17.3, macOS Monterey 12.7.3, macOS Sonoma 14.3, macOS Ventura 13.6.4, tvOS 17.3, and visionOS 1.0.2. The flaw permits arbitrary code execution when processing maliciously crafted web content and carries a CVSS 3.1 base score of 8.8.

An unauthenticated remote attacker can exploit the issue by convincing a user to visit a specially crafted website, achieving code execution in the context of the browser process without requiring user privileges beyond normal web browsing. The vulnerability is linked to the Coruna exploit and was initially shipped for current iOS devices in version 17.3 on 22 January 2024, with the listed updates extending the same fix to devices that cannot receive the newest major releases.

Apple security advisories recommend installing the listed updates, which are available via the standard software update mechanisms on each platform. The current EPSS score stands at 0.0062.

EU & UK References

Vulnerability details

A type confusion issue was addressed with improved checks. This issue is fixed in Safari 17.3, iOS 15.8.7 and iPadOS 15.8.7, iOS 16.7.5 and iPadOS 16.7.5, iOS 17.3 and iPadOS 17.3, macOS Monterey 12.7.3, macOS Sonoma 14.3, macOS Ventura 13.6.4,…

more

tvOS 17.3, visionOS 1.0.2. Processing maliciously crafted web content may lead to arbitrary code execution. This fix associated with the Coruna exploit was shipped in iOS 17.3 on January 22, 2024. This update brings that fix to devices that cannot update to the latest iOS version.

CWE(s)
KEV Date Added
23 January 2024

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

CVE-2024-23222 is a WebKit type confusion vulnerability enabling arbitrary code execution via maliciously crafted web content, directly facilitating drive-by compromise (T1189) and exploitation for client execution (T1203).

Affected Assets

apple
safari
≤ 17.3
apple
ipados
≤ 15.8.7 · 16.0 — 16.7.5 · 17.0 — 17.3
apple
iphone os
≤ 15.8.7 · 16.0 — 16.7.5 · 17.0 — 17.3
apple
macos
12.0 — 12.7.3 · 13.0 — 13.6.4 · 14.0 — 14.3
apple
tvos
≤ 17.3
apple
visionos
≤ 1.0.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the type-confusion flaw by enforcing the improved input-validation checks that Apple implemented to reject maliciously crafted WebKit content before it reaches code-execution paths.

prevent

Requires timely application of the vendor patches (Safari 17.3 / iOS 17.3 and back-ported releases) that remediate CVE-2024-23222 across all affected Apple platforms.

prevent

Memory-protection mechanisms limit the ability of a successful type-confusion exploit to achieve arbitrary code execution by enforcing bounds and isolation on WebKit's memory objects.

References