Apple on Monday patched a high-severity zero-day vulnerability that gives attackers the ability to remotely execute malicious code that runs with the highest privileges inside the operating system kernel of fully up-to-date iPhones and iPads.
In an advisory, Apple said that CVE-2022-42827, as the vulnerability is tracked, “may have been actively exploited,” using a phrase that’s industry jargon for indicating a previously unknown vulnerability is being exploited. The memory corruption flaw is the result of an “out-of-bounds write,” meaning Apple software was placing code or data outside a protected buffer. Hackers often exploit such vulnerabilities so they can funnel malicious code into sensitive regions of an OS and then cause it to execute.
The vulnerability was reported by an “anonymous researcher,” Apple said, without elaborating.
This spreadsheet maintained by Google researchers showed that Apple fixed seven zero-days so far this year, not including CVE-2022-42827. Counting this latest one would bring that Apple zero-day total for 2022 to eight. Bleeping Computer, however, said CVE-2022-42827 is Apple’s ninth zero-day fixed in the last 10 months.