Headline
CVE-2022-22661: About the security content of macOS Big Sur 11.6.5
A type confusion issue was addressed with improved state handling. This issue is fixed in macOS Big Sur 11.6.5, macOS Monterey 12.3, Security Update 2022-003 Catalina. An application may be able to execute arbitrary code with kernel privileges.
Released March 14, 2022
Accelerate Framework
Available for: macOS Big Sur
Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution
Description: A memory corruption issue was addressed with improved state management.
CVE-2022-22633: an anonymous researcher
AppleGraphicsControl
Available for: macOS Big Sur
Impact: An application may be able to gain elevated privileges
Description: An out-of-bounds write issue was addressed with improved bounds checking.
CVE-2022-22631: an anonymous researcher
AppleScript
Available for: macOS Big Sur
Impact: An application may be able to read restricted memory
Description: This issue was addressed with improved checks.
CVE-2022-22648: an anonymous researcher
AppleScript
Available for: macOS Big Sur
Impact: Processing a maliciously crafted AppleScript binary may result in unexpected application termination or disclosure of process memory
Description: An out-of-bounds read was addressed with improved bounds checking.
CVE-2022-22627: Qi Sun and Robert Ai of Trend Micro
CVE-2022-22626: Mickey Jin (@patch1t) of Trend Micro
AppleScript
Available for: macOS Big Sur
Impact: Processing a maliciously crafted AppleScript binary may result in unexpected application termination or disclosure of process memory
Description: An out-of-bounds read was addressed with improved input validation.
CVE-2022-22625: Mickey Jin (@patch1t) of Trend Micro
AppleScript
Available for: macOS Big Sur
Impact: Processing a maliciously crafted file may lead to arbitrary code execution
Description: A memory corruption issue was addressed with improved validation.
CVE-2022-22597: Qi Sun and Robert Ai of Trend Micro
BOM
Available for: macOS Big Sur
Impact: A maliciously crafted ZIP archive may bypass Gatekeeper checks
Description: This issue was addressed with improved checks.
CVE-2022-22616: Ferdous Saljooki (@malwarezoo) and Jaron Bradley (@jbradley89) of Jamf Software, Mickey Jin (@patch1t)
Intel Graphics Driver
Available for: macOS Big Sur
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A type confusion issue was addressed with improved state handling.
CVE-2022-22661: an anonymous researcher, Peterpan0927 of Alibaba Security Pandora Lab
Kernel
Available for: macOS Big Sur
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: An out-of-bounds write issue was addressed with improved bounds checking.
CVE-2022-22613: Alex, an anonymous researcher
Kernel
Available for: macOS Big Sur
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A use after free issue was addressed with improved memory management.
CVE-2022-22615: an anonymous researcher
CVE-2022-22614: an anonymous researcher
Kernel
Available for: macOS Big Sur
Impact: An attacker in a privileged position may be able to perform a denial of service attack
Description: A null pointer dereference was addressed with improved validation.
CVE-2022-22638: derrek (@derrekr6)
Kernel
Available for: macOS Big Sur
Impact: A malicious application may be able to elevate privileges
Description: A logic issue was addressed with improved state management.
CVE-2022-22632: Keegan Saunders
Login Window
Available for: macOS Big Sur
Impact: A person with access to a Mac may be able to bypass Login Window
Description: This issue was addressed with improved checks.
CVE-2022-22647: an anonymous researcher
LoginWindow
Available for: macOS Big Sur
Impact: A local attacker may be able to view the previous logged in user’s desktop from the fast user switching screen
Description: An authentication issue was addressed with improved state management.
CVE-2022-22656
PackageKit
Available for: macOS Big Sur
Impact: An application may be able to gain elevated privileges
Description: A logic issue was addressed with improved state management.
CVE-2022-22617: Mickey Jin (@patch1t)
QuickTime Player
Available for: macOS Big Sur
Impact: A plug-in may be able to inherit the application’s permissions and access user data
Description: This issue was addressed with improved checks.
CVE-2022-22650: Wojciech Reguła (@_r3ggi) of SecuRing
Siri
Available for: macOS Big Sur
Impact: A person with physical access to a device may be able to use Siri to obtain some location information from the lock screen
Description: A permissions issue was addressed with improved validation.
CVE-2022-22599: Andrew Goldberg of the University of Texas at Austin, McCombs School of Business (linkedin.com/andrew-goldberg/)
WebKit
Available for: macOS Big Sur
Impact: Processing maliciously crafted web content may disclose sensitive user information
Description: A cookie management issue was addressed with improved state management.
WebKit Bugzilla: 232748
CVE-2022-22662: Prakash (@1lastBr3ath) of Threat Nix
xar
Available for: macOS Big Sur
Impact: A local user may be able to write arbitrary files
Description: A validation issue existed in the handling of symlinks. This issue was addressed with improved validation of symlinks.
CVE-2022-22582: Richard Warren of NCC Group