Apple releases fixes for two zero-days affecting Macs, iPhones and iPads
Jonathan Greig April 1, 2022

Apple releases fixes for two zero-days affecting Macs, iPhones and iPads

Apple releases fixes for two zero-days affecting Macs, iPhones and iPads

Apple published two notices on Thursday about two zero-day vulnerabilities affecting Macs, iPhones and iPads

Apple released fixes for CVE-2022-22675 and CVE-2022-22674, both of which were submitted by anonymous researchers. 

“Apple is aware of a report that this issue may have been actively exploited,” the tech giant said of both vulnerabilities. 

CVE-2022-22675 relates to an out-of-bounds write issue affecting the AppleAVD media decoder. Apple said it was addressed with improved bounds checking. 

The company explained that the vulnerability would allow an attacker to take over a device and execute arbitrary code with kernel privileges.

CVE-2022-22674 is a similar out-of-bounds read issue affecting the Intel Graphics Driver that “may lead to the disclosure of kernel memory and was addressed with improved input validation.”

For Macs, the update is included in macOS Monterey 12.3.1. iPhones and iPads have the update in iOS 15.4.1 and iPadOS 15.4.1. 

The fix is for iPhone 6s and later, all iPad Pro models, iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation). 

Apple declined to comment further about reports of the zero-days being exploited in the wild. 

Apple has already patched three zero-days this year and patched at least 17 throughout 2021.

CVEPatch DateDescription
CVE-2022-22587January 27A memory corruption issue affecting iOS, iPadOS, and macOS Monterey.
CVE-2022-22594January 27A cross-origin issue affecting iOS, iPadOS, watchOS, tvOS, and macOS Monterey.
CVE-2022-22620February 10A use after free issue affecting iOS, iPadOS, and macOS Monterey.
CVE-2022-22675March 31An out-of-bounds write issue affecting iOS, iPadOS, and macOS Monterey.
CVE-2022-22674March 31An out-of-bounds read issue affecting macOS Monterey.

Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.