Headline
CVE-2022-22591: About the security content of macOS Monterey 12.2
A memory corruption issue was addressed with improved memory handling. This issue is fixed in macOS Monterey 12.2. A malicious application may be able to execute arbitrary code with kernel privileges.
Released January 26, 2022
AMD Kernel
Available for: macOS Monterey
Impact: A malicious application may be able to execute arbitrary code with kernel privileges
Description: An out-of-bounds write issue was addressed with improved bounds checking.
CVE-2022-22586: an anonymous researcher
ColorSync
Available for: macOS Monterey
Impact: Processing a maliciously crafted file may lead to arbitrary code execution
Description: A memory corruption issue was addressed with improved validation.
CVE-2022-22584: Mickey Jin (@patch1t) of Trend Micro
Crash Reporter
Available for: macOS Monterey
Impact: A malicious application may be able to gain root privileges
Description: A logic issue was addressed with improved validation.
CVE-2022-22578: an anonymous researcher
iCloud
Available for: macOS Monterey
Impact: An application may be able to access a user’s files
Description: An issue existed within the path validation logic for symlinks. This issue was addressed with improved path sanitization.
CVE-2022-22585: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab (https://xlab.tencent.com)
Intel Graphics Driver
Available for: macOS Monterey
Impact: A malicious application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2022-22591: Antonio Zekic (@antoniozekic) of Diverto
IOMobileFrameBuffer
Available for: macOS Monterey
Impact: A malicious application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.
Description: A memory corruption issue was addressed with improved input validation.
CVE-2022-22587: an anonymous researcher, Meysam Firouzi (@R00tkitSMM) of MBition - Mercedes-Benz Innovation Lab, Siddharth Aeri (@b1n4r1b01)
Kernel
Available for: macOS Monterey
Impact: A malicious application may be able to execute arbitrary code with kernel privileges
Description: A buffer overflow issue was addressed with improved memory handling.
CVE-2022-22593: Peter Nguyễn Vũ Hoàng of STAR Labs
Model I/O
Available for: macOS Monterey
Impact: Processing a maliciously crafted STL file may lead to unexpected application termination or arbitrary code execution
Description: An information disclosure issue was addressed with improved state management.
CVE-2022-22579: Mickey Jin (@patch1t) of Trend Micro
PackageKit
Available for: macOS Monterey
Impact: An application may be able to access restricted files
Description: A permissions issue was addressed with improved validation.
CVE-2022-22583: an anonymous researcher, Mickey Jin (@patch1t), Ron Hass (@ronhass7) of Perception Point
WebKit
Available for: macOS Monterey
Impact: Processing a maliciously crafted mail message may lead to running arbitrary javascript
Description: A validation issue was addressed with improved input sanitization.
CVE-2022-22589: Heige of KnownSec 404 Team (knownsec.com) and Bo Qu of Palo Alto Networks (paloaltonetworks.com)
WebKit
Available for: macOS Monterey
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: A use after free issue was addressed with improved memory management.
CVE-2022-22590: Toan Pham from Team Orca of Sea Security (security.sea.com)
WebKit
Available for: macOS Monterey
Impact: Processing maliciously crafted web content may prevent Content Security Policy from being enforced
Description: A logic issue was addressed with improved state management.
CVE-2022-22592: Prakash (@1lastBr3ath)
WebKit Storage
Available for: macOS Monterey
Impact: A website may be able to track sensitive user information
Description: A cross-origin issue in the IndexDB API was addressed with improved input validation.
CVE-2022-22594: Martin Bajanik of FingerprintJS