CVE-2022-22674 & CVE-2022-22675: zero-day vulnerabilities affect iPhones, iPads, and Macs

CVE-2022-22674

A few weeks after the release of iOS 15.4, Apple updated the official version of iOS 15.4.1 recently. According to the released update content, iOS 15.4.1 does not bring functional upgrades, but mainly fixes some bugs. There is an out-of-bounds write issue (CVE-2022-22674) in the Intel Graphics Driver, that allows an application may be able to read kernel memory and this vulnerability is being exploited. Also, there is an out-of-bounds read issue (CVE-2022-22675) in the AppleAVD media decoder that allows an application may be able to execute arbitrary code with kernel privileges. Two flaws were reported by an anonymous researcher.

The affected devices include

  • Macs running macOS Monterey
  • iPhone 6s and later
  • iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).

Apple is aware of a report that this issue may have been actively exploited,” the company said. Apple also said it recommends that Apple users who have not yet upgraded and are affected by the vulnerability complete the upgrade as soon as possible.

In addition, Apple once fixed these vulnerabilities, iOS 15.4.1 fixed a bug that drains the battery of some iPhones, while macOS 12.3.1 fixes a Bluetooth bug.