CVE-2024-23222
Published: 23 January 2024
Summary
CVE-2024-23222 is a high-severity Type Confusion (CWE-843) vulnerability in Apple Ipados. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked in the top 30.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
A type confusion vulnerability addressed through improved input validation affects WebKit in multiple Apple platforms. Impacted software includes Safari 17.3 along with iOS 15.8.7, iPadOS 15.8.7, iOS 16.7.5, iPadOS 16.7.5, iOS 17.3, iPadOS 17.3, macOS Monterey 12.7.3, macOS Sonoma 14.3, macOS Ventura 13.6.4, tvOS 17.3, and visionOS 1.0.2. The flaw permits arbitrary code execution when processing maliciously crafted web content and carries a CVSS 3.1 base score of 8.8.
An unauthenticated remote attacker can exploit the issue by convincing a user to visit a specially crafted website, achieving code execution in the context of the browser process without requiring user privileges beyond normal web browsing. The vulnerability is linked to the Coruna exploit and was initially shipped for current iOS devices in version 17.3 on 22 January 2024, with the listed updates extending the same fix to devices that cannot receive the newest major releases.
Apple security advisories recommend installing the listed updates, which are available via the standard software update mechanisms on each platform. The current EPSS score stands at 0.0062.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-20741
Vulnerability details
A type confusion issue was addressed with improved checks. This issue is fixed in Safari 17.3, iOS 15.8.7 and iPadOS 15.8.7, iOS 16.7.5 and iPadOS 16.7.5, iOS 17.3 and iPadOS 17.3, macOS Monterey 12.7.3, macOS Sonoma 14.3, macOS Ventura 13.6.4,…
more
tvOS 17.3, visionOS 1.0.2. Processing maliciously crafted web content may lead to arbitrary code execution. This fix associated with the Coruna exploit was shipped in iOS 17.3 on January 22, 2024. This update brings that fix to devices that cannot update to the latest iOS version.
- CWE(s)
- KEV Date Added
- 23 January 2024
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2024-23222 is a WebKit type confusion vulnerability enabling arbitrary code execution via maliciously crafted web content, directly facilitating drive-by compromise (T1189) and exploitation for client execution (T1203).
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the type-confusion flaw by enforcing the improved input-validation checks that Apple implemented to reject maliciously crafted WebKit content before it reaches code-execution paths.
Requires timely application of the vendor patches (Safari 17.3 / iOS 17.3 and back-ported releases) that remediate CVE-2024-23222 across all affected Apple platforms.
Memory-protection mechanisms limit the ability of a successful type-confusion exploit to achieve arbitrary code execution by enforcing bounds and isolation on WebKit's memory objects.