Headline
CVE-2022-22671: About the security content of iOS 15.4 and iPadOS 15.4
An authentication issue was addressed with improved state management. This issue is fixed in iOS 15.4 and iPadOS 15.4. A person with physical access to an iOS device may be able to access photos from the lock screen.
Released March 14, 2022
Accelerate Framework
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution
Description: A memory corruption issue was addressed with improved state management.
CVE-2022-22633: an anonymous researcher
AppleAVD
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: Processing a maliciously crafted image may lead to heap corruption
Description: A memory corruption issue was addressed with improved validation.
CVE-2022-22666: Marc Schoenefeld, Dr. rer. nat.
AVEVideoEncoder
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: A malicious application may be able to execute arbitrary code with kernel privileges
Description: A buffer overflow was addressed with improved bounds checking.
CVE-2022-22634: an anonymous researcher
AVEVideoEncoder
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: An application may be able to gain elevated privileges
Description: An out-of-bounds write issue was addressed with improved bounds checking.
CVE-2022-22635: an anonymous researcher
AVEVideoEncoder
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: An out-of-bounds write issue was addressed with improved bounds checking.
CVE-2022-22636: an anonymous researcher
Cellular
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: A person with physical access may be able to view and modify the carrier account information and settings from the lock screen
Description: The GSMA authentication panel could be presented on the lock screen. The issue was resolved by requiring device unlock to interact with the GSMA authentication panel.
CVE-2022-22652: Kağan Eğlence (linkedin.com/in/kaganeglence)
CoreMedia
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: An app may be able to learn information about the current camera view before being granted camera access
Description: An issue with app access to camera metadata was addressed with improved logic.
CVE-2022-22598: Will Blaschko of Team Quasko
FaceTime
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: A user may be able to bypass the Emergency SOS passcode prompt
Description: This issue was addressed with improved checks.
CVE-2022-22642: Yicong Ding (@AntonioDing)
FaceTime
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: A user may send audio and video in a FaceTime call without knowing that they have done so
Description: This issue was addressed with improved checks.
CVE-2022-22643: Sonali Luthar of the University of Virginia, Michael Liao of the University of Illinois at Urbana-Champaign, Rohan Pahwa of Rutgers University, and Bao Nguyen of the University of Florida
GPU Drivers
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A use after free issue was addressed with improved memory management.
CVE-2022-22667: Justin Sherman of the University of Maryland, Baltimore County
ImageIO
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: Processing a maliciously crafted image may lead to arbitrary code execution
Description: An out-of-bounds read was addressed with improved input validation.
CVE-2022-22611: Xingyu Jin of Google
ImageIO
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: Processing a maliciously crafted image may lead to heap corruption
Description: A memory consumption issue was addressed with improved memory handling.
CVE-2022-22612: Xingyu Jin of Google
IOGPUFamily
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: An application may be able to gain elevated privileges
Description: A use after free issue was addressed with improved memory management.
CVE-2022-22641: Mohamed Ghannam (@_simo36)
iTunes
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: A malicious website may be able to access information about the user and their devices
Description: A logic issue was addressed with improved restrictions.
CVE-2022-22653: Aymeric Chaib of CERT Banque de France
Kernel
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved validation.
CVE-2022-22596: an anonymous researcher
CVE-2022-22640: sqrtpwn
Kernel
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: An out-of-bounds write issue was addressed with improved bounds checking.
CVE-2022-22613: Alex, an anonymous researcher
Kernel
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A use after free issue was addressed with improved memory management.
CVE-2022-22614: an anonymous researcher
CVE-2022-22615: an anonymous researcher
Kernel
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: A malicious application may be able to elevate privileges
Description: A logic issue was addressed with improved state management.
CVE-2022-22632: Keegan Saunders
Kernel
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: An attacker in a privileged position may be able to perform a denial of service attack
Description: A null pointer dereference was addressed with improved validation.
CVE-2022-22638: derrek (@derrekr6)
libarchive
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: Multiple issues in libarchive
Description: Multiple memory corruption issues existed in libarchive. These issues were addressed with improved input validation.
CVE-2021-36976
Markup
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: A person with physical access to an iOS device may be able to see sensitive information via keyboard suggestions
Description: This issue was addressed with improved checks.
CVE-2022-22622: Ingyu Lim (@_kanarena)
MediaRemote
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: A malicious application may be able to identify what other applications a user has installed
Description: An access issue was addressed with improved access restrictions.
CVE-2022-22670: Brandon Azad
NetworkExtension
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: An attacker in a privileged network position may be able to leak sensitive user information
Description: A logic issue was addressed with improved state management.
CVE-2022-22659: an anonymous researcher
Phone
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: A user may be able to bypass the Emergency SOS passcode prompt
Description: This issue was addressed with improved checks.
CVE-2022-22618: Yicong Ding (@AntonioDing)
Preferences
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: A malicious application may be able to read other applications’ settings
Description: The issue was addressed with additional permissions checks.
CVE-2022-22609: Zhipeng Huo (@R3dF09) and Yuebin Sun (@yuebinsun2020) of Tencent Security Xuanwu Lab (xlab.tencent.com)
Sandbox
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: A malicious application may be able to bypass certain Privacy preferences
Description: The issue was addressed with improved permissions logic.
CVE-2022-22600: Sudhakar Muthumani of Primefort Private Limited, Khiem Tran
Siri
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: A person with physical access to a device may be able to use Siri to obtain some location information from the lock screen
Description: A permissions issue was addressed with improved validation.
CVE-2022-22599: Andrew Goldberg of the University of Texas at Austin, McCombs School of Business (linkedin.com/andrew-goldberg/)
SoftwareUpdate
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: An application may be able to gain elevated privileges
Description: A logic issue was addressed with improved state management.
CVE-2022-22639: Mickey (@patch1t)
UIKit
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: A person with physical access to an iOS device may be able to see sensitive information via keyboard suggestions
Description: This issue was addressed with improved checks.
CVE-2022-22621: Joey Hewitt
VoiceOver
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: A person with physical access to an iOS device may be able to access photos from the lock screen
Description: An authentication issue was addressed with improved state management.
CVE-2022-22671: videosdebarraquito
WebKit
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: Processing maliciously crafted web content may disclose sensitive user information
Description: A cookie management issue was addressed with improved state management.
WebKit Bugzilla: 232748
CVE-2022-22662: Prakash (@1lastBr3ath) of Threat Nix
WebKit
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: Processing maliciously crafted web content may lead to code execution
Description: A memory corruption issue was addressed with improved state management.
WebKit Bugzilla: 232812
CVE-2022-22610: Quan Yin of Bigo Technology Live Client Team
WebKit
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: A use after free issue was addressed with improved memory management.
WebKit Bugzilla: 233172
CVE-2022-22624: Kirin (@Pwnrin) of Tencent Security Xuanwu Lab
WebKit Bugzilla: 234147
CVE-2022-22628: Kirin (@Pwnrin) of Tencent Security Xuanwu Lab
WebKit
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: A buffer overflow issue was addressed with improved memory handling.
WebKit Bugzilla: 234966
CVE-2022-22629: Jeonghoon Shin at Theori working with Trend Micro Zero Day Initiative
WebKit
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: A malicious website may cause unexpected cross-origin behavior
Description: A logic issue was addressed with improved state management.
WebKit Bugzilla: 235294
CVE-2022-22637: Tom McKee of Google
Wi-Fi
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: A malicious application may be able to leak sensitive user information
Description: A logic issue was addressed with improved restrictions.
CVE-2022-22668: MrPhil17