Apple Warns of New 0-Day CVE-2022-32917 Flaw on iOS, macOS

Apple on Monday rolled out emergency patches for an already exploited zero-day vulnerability in its macOS and iOS platforms.

Apple confirmed in-the-wild exploitation of the vulnerability in an advisory warning about code execution flaws in fully patched iPhone, iPad, and macOS devices.

The flaw (tracked as CVE-2022-32917) may allow maliciously crafted applications to execute arbitrary code with kernel privileges. This flaw was reported by an anonymous researcher. “Apple is aware of a report that this issue may have been actively exploited,” the company said.

The affected devices include:

• iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation
• and Macs running macOS Big Sur 11.7 and macOS Monterey 12.6

By using a specially crafted application, an attacker could exploit the CVE-2022-32917 vulnerability to execute arbitrary code with kernel privileges.

In addition to this bug, Apple fixes many flaws in these security updates. Below are some serious flaws:

• CVE-2022-32886: A buffer overflow issue was addressed with improved memory handling.
• CVE-2022-32868: A logic issue was addressed with improved state management
• CVE-2022-32912: An out-of-bounds read was addressed with improved bounds checking

Apple also said it recommends that Apple users who have not yet upgraded and are affected by the vulnerability should complete the upgrade as soon as possible.

Users are also advised to enable automatic software updates by going to Settings > General > Software Updates > Enable Automatic Updates.