Security News > 2022 > August > Apple fixes exploited zero-days: Update your devices! (CVE-2022-32894, CVE-2022-32893)
Apple has released security updates for iOS, iPadOS, and macOS Monterey to fix CVE-2022-32894 and CVE-2022-32893, two code execution vulnerabilities exploited by attackers in the wild.
CVE-2022-32894 is out-of-bounds write issue in the operating systems' kernel that can be exploited by a malicious application to execute arbitrary code with kernel privileges.
CVE-2022-32893 is out-of-bounds write issue in WebKit - Apple's browser engine that powers its Safari web browser and all iOS web browsers - that can be triggered by the processing of maliciously crafted web content.
As per usual, Apple did not share details about the attacks that leverage the two zero-days, but it's likely that the flaws are being exploited for targeted attacks.
MacOS users who use Google Chrome and don't have automatic updating switched on should also make sure to update that browser, because Google has pushed out a new version that fixes - among other vulnerabilities - CVE-2022-2856, an improper input validation bug affecting Chrome Intent.
"A Chrome Intent is a mechanism for triggering apps directly from a web page, in which data on the web page is fed into an external app that's launched to process that data," noted Paul Ducklin, Principal Research Scientist at Sophos.
News URL
https://www.helpnetsecurity.com/2022/08/18/cve-2022-32894-cve-2022-32893-cve-2022-2856/
Related news
- Apple fixes this year’s first actively exploited zero-day bug (source)
- Apple Patches Actively Exploited Zero-Day Affecting iPhones, Macs, and More (source)
- Apple zero-day vulnerability exploited to target iPhone users (CVE-2025-24085) (source)
- Apple fixes zero-day exploited in 'extremely sophisticated' attacks (source)
- Apple fixes zero-day flaw exploited in “extremely sophisticated” attack (CVE-2025-24200) (source)
- Apple Patches Actively Exploited iOS Zero-Day CVE-2025-24200 in Emergency Update (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-09-26 | CVE-2022-2856 | Insufficient validation of untrusted input in Intents in Google Chrome on Android prior to 104.0.5112.101 allowed a remote attacker to arbitrarily browse to a malicious website via a crafted HTML page. | 6.5 |
| 2022-08-24 | CVE-2022-32894 | Out-of-bounds Write vulnerability in Apple products An out-of-bounds write issue was addressed with improved bounds checking. | 7.8 |
| 2022-08-24 | CVE-2022-32893 | Out-of-bounds Write vulnerability in multiple products An out-of-bounds write issue was addressed with improved bounds checking. | 8.8 |