CVE-2022-32939

Vulnerability

A memory handling issue exists in the Apple Neural Engine component of iOS and iPadOS, as described in the security updates [1][2]. The vulnerability allows an app to trigger improper memory handling, potentially leading to arbitrary code execution with kernel privileges. Affected versions include iOS and iPadOS prior to 15.7.1 and 16.1, impacting a wide range of devices such as iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) [2]. The issue was addressed with improved memory handling [1][2].

Exploitation

An attacker must have an app installed on the target device to exploit this vulnerability. No additional user interaction is required beyond the app's execution. The app can trigger the memory handling flaw to execute arbitrary code with kernel privileges, bypassing standard security boundaries [1][2].

Impact

Successful exploitation allows an attacker to execute arbitrary code with kernel privileges, resulting in full compromise of the device's confidentiality, integrity, and availability. The attacker gains the highest level of system access, enabling them to install malware, access sensitive data, or perform other malicious actions [1][2].

Mitigation

Apple has released fixes in iOS 15.7.1 and iPadOS 15.7.1 (released October 27, 2022) and iOS 16.1 and iPadOS 16 (released October 24, 2022) [1][2]. Users should update their devices to the latest available versions. No workarounds are documented, and the vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date.