CVE-2022-26751

Vulnerability

A memory corruption issue in Apple's image processing code, addressed with improved input validation, affects iTunes 12.12.4 for Windows, iOS 15.5 and iPadOS 15.5, Security Update 2022-004 Catalina, macOS Big Sur 11.6.6, and macOS Monterey 12.4. The bug is reachable when the system processes a maliciously crafted image file (e.g., via web page, email, or direct file open) and does not require any unusual configuration beyond the default image handling pipeline.

Exploitation

An attacker can exploit the vulnerability by delivering a specially crafted image to the target system. No authentication or elevated privileges are needed from the attacker; the victim must load the image (e.g., by viewing it in an application that uses the affected Apple frameworks). The memory corruption triggers when the malformed image is parsed, allowing the attacker to control execution flow.

Impact

Successful exploitation can lead to arbitrary code execution. Although the Apple advisory [1] for related CVE-2022-26772 states “arbitrary code execution with kernel privileges,” the official CVE description for CVE-2022-26751 only notes arbitrary code execution without specifying privilege level. The attacker can execute arbitrary code in the context of the application or process processing the image.

Mitigation

Apple released fixes on May 16, 2022, included in iTunes 12.12.4 for Windows, iOS 15.5 and iPadOS 15.5, Security Update 2022-004 for macOS Catalina, macOS Big Sur 11.6.6, and macOS Monterey 12.4 [1][2][3][4]. Users should update to the latest available versions for their devices. No workaround is provided; the only mitigation is installing the security update.