CVE-2022-32940

Vulnerability

The vulnerability, identified as CVE-2022-32940, is a memory consumption issue in the kernel of Apple operating systems, addressed with improved bounds checks. It affects macOS Ventura 13, iOS 16.1, iPadOS 16, watchOS 9.1, and tvOS 16.1 [1][2][3][4]. Processing a maliciously crafted image may lead to arbitrary code execution with kernel privileges [1][2].

Exploitation

An attacker requires the ability to deliver a maliciously crafted image to the target device. This can be achieved through social engineering, malicious websites, or by injecting the image into a legitimate app. The victim must process the image, triggering the memory consumption issue. No additional authentication or special privileges are needed for exploitation beyond crafting the malicious input [1][2].

Impact

Successful exploitation allows an app to execute arbitrary code with kernel privileges, resulting in a full compromise of the device's confidentiality, integrity, and availability. The attacker gains the highest level of access, potentially enabling further attacks such as data exfiltration, installation of malware, or persistent unauthorized control [1][2].

Mitigation

Apple released fixes in October 2022: tvOS 16.1, iOS 16.1 and iPadOS 16, macOS Ventura 13, and watchOS 9.1 [1][2][3][4]. Users should update their devices to these versions immediately. No workarounds or mitigations are available for unpatched systems. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing.