The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a high-severity flaw impacting iOS, iPadOS, macOS, tvOS, and watchOS to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.
The vulnerability, tracked as CVE-2022-48618 (CVSS score: 7.8), concerns a bug in the kernel component.
"An attacker with arbitrary read and write capability may be able to bypass Pointer Authentication," Apple said in an advisory, adding the issue "may have been exploited against versions of iOS released before iOS 15.7.1."
The iPhone maker said the problem was addressed with improved checks. It's currently not known how the vulnerability is being weaponized in real-world attacks.
Interestingly, patches for the flaw were released on December 13, 2022, with the release of iOS 16.2, iPadOS 16.2, macOS Ventura 13.1, tvOS 16.2, and watchOS 9.2, although it was only publicly disclosed more than a year later on January 9, 2024.
It's worth noting that Apple did resolve a similar flaw in the kernel (CVE-2022-32844, CVSS score: 6.3) in iOS 15.6 and iPadOS 15.6, which was shipped on July 20, 2022. It's not immediately clear if the two vulnerabilities are related.
"An app with arbitrary kernel read and write capability may be able to bypass Pointer Authentication," the company said at the time. "A logic issue was addressed with improved state management."
In light of the active exploitation of CVE-2022-48618, CISA is recommending that Federal Civilian Executive Branch (FCEB) agencies apply the fixes by February 21, 2024.
The development also comes as Apple expanded patches for an actively exploited security flaw in the WebKit browser engine (CVE-2024-23222, CVSS score: 8.8) to include its Apple Vision Pro headset. The fix is available in visionOS 1.0.2.