The US Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a high-severity flaw affecting iOS, iPadOS, macOS, tvOS and watchOS to its catalog of known exploited vulnerabilities (KEVs), based on evidence of active exploitation.
The vulnerability, tracked as CVE-2022-48618 (CVSS score: 7.8), concerns a bug in the kernel component.
“An attacker with arbitrary read and write ability may be able to bypass pointer authentication,” Apple said in an advisory, adding that the issue “may have been exploited against versions of iOS released before iOS 15.7. 1.”
The iPhone maker said the problem was resolved by improving controls. It is currently unknown how the vulnerability is weaponized in real-world attacks.
Interestingly, patches for the flaw were released on December 13, 2022, with the release of iOS 16.2, iPadOS 16.2, macOS Ventura 13.1, tvOS 16.2, and watchOS 9.2, although they were only made public more than a year later, on January 9th. 2024.
It’s worth noting that Apple fixed a similar flaw in the kernel (CVE-2022-32844, CVSS score: 6.3) in iOS 15.6 and iPadOS 15.6, released on July 20, 2022. It’s not immediately clear whether the two vulnerabilities are related.
“An app with arbitrary kernel read and write capabilities may be able to bypass pointer authentication,” the company said at the time. “A logical problem was solved with better state management.”
In light of the active exploitation of CVE-2022-48618, CISA recommends that Federal Civilian Executive Branch (FCEB) agencies apply the fixes by February 21, 2024.
The development also comes as Apple expanded patches for an actively exploited security flaw in its WebKit browser engine (CVE-2024-23222, CVSS score: 8.8) to include its Apple Vision Pro headphones. The fix is available in visionOS 1.0.2.