CVE-2024-23222: Apple Multiple Products Type Confusion Vulnerability
First published: Mon Jan 22 2024(Updated: )
A type confusion issue was addressed with improved checks. This issue is fixed in iOS 17.3 and iPadOS 17.3, macOS Sonoma 14.3, tvOS 17.3. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited.
Credit: product-security@apple.com product-security@apple.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apple Multiple Products | ||
| Apple Safari | <17.3 | 17.3 |
| Apple iPhone | ||
| Apple macOS Ventura | <13.6.4 | 13.6.4 |
| Apple macOS Monterey | <12.7.3 | 12.7.3 |
| Apple visionOS | <1.0.2 | 1.0.2 |
| Apple iOS | <16.7.5 | 16.7.5 |
| Apple iPadOS | <16.7.5 | 16.7.5 |
| Apple tvOS | <17.3 | 17.3 |
| Apple macOS Sonoma | <14.3 | 14.3 |
| Apple iOS | <17.3 | 17.3 |
| Apple iPadOS | <17.3 | 17.3 |
| Apple Safari | <17.3 | |
| Apple iPadOS | >16.0<16.7.5 | |
| Apple iPadOS | >17.0<17.3 | |
| Apple iPhone OS | >16.0<16.7.5 | |
| Apple iPhone OS | >17.0<17.3 | |
| Apple macOS | >=12.0<12.7.3 | |
| Apple macOS | >=13.0<13.6.4 | |
| Apple macOS | >=14.0<14.3 | |
| Apple tvOS | <17.3 | |
| Apple visionOS | <1.0.2 | |
| ubuntu/webkit2gtk | <2.42.5-0ubuntu0.22.04.2 | 2.42.5-0ubuntu0.22.04.2 |
| ubuntu/webkit2gtk | <2.42.5-0ubuntu0.23.10.2 | 2.42.5-0ubuntu0.23.10.2 |
| ubuntu/webkit2gtk | <2.42.5 | 2.42.5 |
| debian/webkit2gtk | <=2.36.4-1~deb10u1<=2.38.6-0+deb10u1<=2.42.2-1~deb11u1<=2.42.2-1~deb12u1 | 2.42.5-1~deb11u1 2.42.5-1~deb12u1 2.42.5-1 2.44.1-1 |
| debian/wpewebkit | <=2.38.6-1~deb11u1<=2.38.6-1 | 2.42.5-1 2.44.1-1 |
Remedy
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://support.apple.com/en-us/HT214055,
- https://support.apple.com/en-us/HT214056,
- https://support.apple.com/en-us/HT214057,
- https://support.apple.com/en-us/HT214058,
- https://support.apple.com/en-us/HT214059,
- https://support.apple.com/en-us/HT214061,
- https://support.apple.com/en-us/HT214063 (Advisory)
- https://support.apple.com/en-us/HT214056 (Advisory)
- https://www.theregister.com/2024/01/29/infosec_news_roundup_in_brief/
- https://www.bleepingcomputer.com/news/security/cisa-warns-of-patched-iphone-kernel-bug-now-exploited-in-attacks/
- https://support.apple.com/en-us/HT214058 (Advisory)
- https://support.apple.com/en-us/HT214057 (Advisory)
- https://support.apple.com/en-us/HT214070 (Advisory)
- https://support.apple.com/en-us/HT214059 (Advisory)
- https://support.apple.com/en-us/HT214055 (Advisory)
- https://support.apple.com/en-us/HT214061 (Advisory)
- https://support.apple.com/kb/HT214063
- https://launchpad.net/bugs/cve/CVE-2024-23222
- https://webkitgtk.org/security/WSA-2024-0001.html
- https://security-tracker.debian.org/tracker/CVE-2024-23222
- https://ubuntu.com/security/notices/USN-6631-1
- https://www.cve.org/CVERecord?id=CVE-2024-23222
- https://nvd.nist.gov/vuln/detail/CVE-2024-23222
- https://ubuntu.com/security/CVE-2024-23222
Parent vulnerabilities
(Appears in the following advisories)
Peer vulnerabilities
(Found alongside the following vulnerabilities)
- CVE-2024-23211
- CVE-2024-23206
- CVE-2024-23213
- CVE-2024-23222
- CVE-2022-48618
- CVE-2023-42916
- CVE-2023-42917
- CVE-2024-23212
- CVE-2023-42937
- CVE-2023-40528
- CVE-2023-38545
- CVE-2023-38039
- CVE-2023-38546
- CVE-2024-23224
- CVE-2023-42888
- CVE-2023-42935
- CVE-2024-23207
- CVE-2023-42887
- CVE-2024-23214
- CVE-2024-23218
- CVE-2024-23208
- CVE-2024-23201
- CVE-2024-23223
- CVE-2024-23215
- CVE-2024-23210
- CVE-2024-23209
- CVE-2024-23203
- CVE-2024-23204
- CVE-2024-23217
- CVE-2024-23219
- agent/first-publish-date
- agent/type
- exploited/true
- collector/cisa-known-exploited
- source/CISA
- agent/software-canonical-lookup
- agent/remedy
- agent/title
- collector/apple-support
- source/Apple
- collector/the-register
- source/The Register
- alias/CVE-2024-20253
- alias/CVE-2024-23222
- agent/weakness
- collector/bleeping-computer
- source/BleepingComputer
- alias/CVE-2022-48618
- alias/CVE-2023-42916
- alias/CVE-2023-42917
- agent/severity
- agent/news-ai
- agent/author
- collector/epss-latest
- source/FIRST
- agent/epss
- collector/mitre-cve
- source/MITRE
- agent/software-canonical-lookup-request
- collector/nvd-cve
- source/NVD
- agent/last-modified-date
- agent/references
- collector/nvd-api
- collector/launchpad-cve
- source/Launchpad
- agent/tags
- agent/event
- agent/description
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- collector/usn-cve
- source/Ubuntu
- vendor/apple
- canonical/apple multiple products
- canonical/apple safari
- canonical/apple iphone
- canonical/apple macos ventura
- canonical/apple macos monterey
- canonical/apple visionos
- canonical/apple ios
- canonical/apple ipados
- canonical/apple tvos
- canonical/apple macos sonoma
- canonical/apple iphone os
- canonical/apple macos
- version/apple macos/12.0
- version/apple macos/13.0
- version/apple macos/14.0
- package-manager/debian
- package-manager/ubuntu