CVE-2024-23222
HIGH severity · CVSS 8.8 · CWE-843 · actively exploited (CISA KEV)
8.8CVSS HIGH ● exploited
🔴 Actively exploited in the wild (CISA Known Exploited Vulnerabilities).
Added to KEV 2024-01-23. US federal agencies must patch by 2024-02-13.
Summary
A type confusion issue was addressed with improved checks. This issue is fixed in Safari 17.3, iOS 15.8.7 and iPadOS 15.8.7, iOS 16.7.5 and iPadOS 16.7.5, iOS 17.3 and iPadOS 17.3, macOS Monterey 12.7.3, macOS Sonoma 14.3, macOS Ventura 13.6.4, tvOS 17.3, visionOS 1.0.2. Processing maliciously crafted web content may lead to arbitrary code execution. This fix associated with the Coruna exploit was shipped in iOS 17.3 on January 22, 2024. This update brings that fix to devices that cannot update to the latest iOS version.
Impact & exploitability
Attack vectorNetwork
Attack complexityLow
Privileges requiredNone
User interactionRequired
Confidentiality impactHigh
Integrity impactHigh
Availability impactHigh
Exploit probability (EPSS)1%
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected products we track (1)
Recommendation
This vulnerability is being actively exploited in the wild — patch affected products urgently. Open any affected product above for its exact safe version.
Additional information
- NVD record
- https://support.apple.com/en-us/118479Advisory
- https://support.apple.com/en-us/120304Advisory
- https://support.apple.com/en-us/120305Advisory
- https://support.apple.com/en-us/120307Advisory
- https://support.apple.com/en-us/120309Advisory
- https://support.apple.com/en-us/120310Advisory
- https://support.apple.com/en-us/120311Advisory
- https://support.apple.com/en-us/120339Advisory