CVE-2022-40303 & CVE-2022-40304: RCE flaws in Apple iOS, macOS

Apple released security updates on Wednesday to fix two high-severity vulnerabilities in the libxml2 library exploited to hack iPhones, iPads, and Macs.

Libxml2 is the XML C parser and toolkit developed for the Gnome project (but usable outside of the Gnome platform), it is free software available under the MIT License. Libxml2 is known to be very portable, the library should build and work without serious troubles on a variety of systems (Linux, Unix, Windows, CygWin, MacOS, RISC Os, OS/2, VMS, QNX, MVS, …)

The bug (CVE-2022-40303) is an integer overflow in parse.c when processing content when XML_PARSE_HUGE is set. By persuading a victim to open a specially-crafted file, an attacker could exploit this vulnerability to execute arbitrary code on the system.

CVE-2022-40304 exists in entities.c due to the way libxml2 handles reference cycles and was caused by a dict corruption flaw. By persuading a victim to open a specially-crafted file, an attacker could exploit this vulnerability to execute arbitrary code on the system.

As Apple explains, if successfully exploited in attacks, this flaw could have been used by potential attackers to execute arbitrary code. “A remote user may be able to cause unexpected app termination or arbitrary code execution,” Apple notes.

Apple addressed CVE-2022-40303 & CVE-2022-40304 with improved input validation and checks in iOS 16.1.1, iPadOS 16.1.1, and macOS Ventura 13.0.1.

Although these bugs were not used in attacks, it’s still strongly recommended to install the updates as soon as possible to block potential attack attempts.