Apple releases fixes for two zero-days affecting Macs, iPhones and iPads

Apple published two notices on Thursday about two zero-day vulnerabilities affecting Macs, iPhones and iPads.

Apple released fixes for CVE-2022-22675 and CVE-2022-22674, both of which were submitted by anonymous researchers.

“Apple is aware of a report that this issue may have been actively exploited,” the tech giant said of both vulnerabilities.

CVE-2022-22675 relates to an out-of-bounds write issue affecting the AppleAVD media decoder. Apple said it was addressed with improved bounds checking.

The company explained that the vulnerability would allow an attacker to take over a device and execute arbitrary code with kernel privileges.

CVE-2022-22674 is a similar out-of-bounds read issue affecting the Intel Graphics Driver that “may lead to the disclosure of kernel memory and was addressed with improved input validation.”

For Macs, the update is included in macOS Monterey 12.3.1. iPhones and iPads have the update in iOS 15.4.1 and iPadOS 15.4.1.

The fix is for iPhone 6s and later, all iPad Pro models, iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).

Apple declined to comment further about reports of the zero-days being exploited in the wild.

Apple has already patched three zero-days this year and patched at least 17 throughout 2021.