CVE-2022-22675: 0-day vulnerability affect Apple Watch and Apple TV

Today, Apple updated the official version of macOS Big Sur 11.6, watchOS 8.6, and tvOS 15.5. According to the released update content, these new versions do not bring functional upgrades but mainly fix some bugs. There is an out-of-bounds write issue (CVE-2022-22675) in the AppleAVD (a kernel extension for audio and video decoding), that allows apps to execute arbitrary code with kernel privileges and this vulnerability is being exploited. This flaw was reported by an anonymous researcher. “Apple is aware of a report that this issue may have been actively exploited,” the company said.

The affected devices include:

•  Apple Watch Series 3 or late
• Macs running macOS Big Sur
• Apple TV 4K, Apple TV 4K (2nd generation)
• Apple TV HD

In addition to CVE-2022-22675, Apple fixes many flaws in these security updates.

• CVE-2022-26702: A use after free issue was addressed with improved memory management.
• CVE-2022-26724: An authentication issue was addressed with improved state management.
• CVE-2022-26736/26737/26738/26739/26740: An out-of-bounds write issue was addressed with improved bounds checking.
• CVE-2022-26763: An out-of-bounds access issue was addressed with improved bounds checking.
• CVE-2022-26711: An integer overflow was addressed with improved input validation.
• CVE-2022-26701: A race condition was addressed with improved locking.
• CVE-2022-26768: A memory corruption issue was addressed with improved state management.
• CVE-2022-26771: A memory corruption issue was addressed with improved state management.
• CVE-2022-26714: A memory corruption issue was addressed with improved validation.
• CVE-2022-26757: A use after free issue was addressed with improved memory management.
• CVE-2022-26764: A race condition was addressed with improved state handling
• CVE-2022-26706: An access issue was addressed with additional sandbox restrictions on third-party applications.
• CVE-2022-23308: A use after free issue was addressed with improved memory management.
• CVE-2022-26766: A certificate parsing issue was addressed with improved checks
• CVE-2022-26700: A memory corruption issue was addressed with improved state management
• CVE-2022-26709/CVE-2022-26710/CVE-2022-26717: A use after free issue was addressed with improved memory management
• CVE-2022-26716/CVE-2022-26719: A memory corruption issue was addressed with improved state management.
• CVE-2022-26745: A memory corruption issue was addressed with improved validation.

Apple also said it recommends that Apple users who have not yet upgraded and are affected by the vulnerability should complete the upgrade as soon as possible.