The shortcomings have been fixed as part of updates to iOS and iPadOS 15.4.1, macOS Monterey 12.3.1, tvOS 15.4.1, and watchOS 8.5.1. Both the vulnerabilities have been reported to Apple anonymously.
Tracked as CVE-2022-22675, the issue has been described as an out-of-bounds write vulnerability in an audio and video decoding component called AppleAVD that could allow an application to execute arbitrary code with kernel privileges.
Apple said the defect was resolved with improved bounds checking, adding it’s aware that “this issue may have been actively exploited.”
The latest version of macOS Monterey, besides fixing CVE-2022-22675, also includes remediation for CVE-2022-22674, an out-of-bounds read issue in the Intel Graphics Driver module that could enable a malicious actor to read kernel memory.
The bug was “addressed with improved input validation,” the iPhone maker noted, once again stating there’s evidence of active exploitation while withholding additional details to prevent further abuse.
The latest updates bring the total number of actively exploited zero-days patched by Apple to four since the start of the year, not to mention a publicly disclosed flaw in the IndexedDB API (CVE-2022-22594), which could be weaponized by a malicious website to track user’s online activity and identities in the web browser.