Apple Safari up to 15.2 WebKit use after free

Summaryinfo

A vulnerability, which was classified as critical, was found in Apple Safari. Impacted is an unknown function of the component WebKit. Executing a manipulation can lead to use after free. This vulnerability is handled as CVE-2022-22590. The attack can be executed remotely. There is not any exploit available. You should upgrade the affected component.

Detailsinfo

A vulnerability classified as critical was found in Apple Safari (Web Browser). This vulnerability affects some unknown functionality of the component WebKit. The manipulation with an unknown input leads to a use after free vulnerability. The CWE definition for the vulnerability is CWE-416. Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code. As an impact it is known to affect confidentiality, integrity, and availability. CVE summarizes:

A use after free issue was addressed with improved memory management. This issue is fixed in iOS 15.3 and iPadOS 15.3, watchOS 8.4, tvOS 15.3, Safari 15.3, macOS Monterey 12.2. Processing maliciously crafted web content may lead to arbitrary code execution.

The weakness was released 01/26/2022 by Toan Pham as HT213058 as confirmed advisory (Website). The advisory is available at support.apple.com. This vulnerability was named CVE-2022-22590. Successful exploitation requires user interaction by the victim. The technical details are unknown and an exploit is not available. The structure of the vulnerability defines a possible price range of USD $5k-$25k at the moment (estimation calculated on 10/09/2024). The advisory points out:

Processing maliciously crafted web content may lead to arbitrary code execution

Upgrading to version 15.3 eliminates this vulnerability. A possible mitigation has been published immediately after the disclosure of the vulnerability. The advisory contains the following remark:

A use after free issue was addressed with improved memory management.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Productinfo

Type

• Web Browser

Vendor

• Apple

Name

• Safari

Version

• 0.8
• 0.9
• 1.0
• 1.0.0
• 1.0.0b1
• 1.0.0b2
• 1.0.1
• 1.0.2
• 1.0.3
• 1.0b1
• 1.1
• 1.1.0
• 1.1.1
• 1.2
• 1.2.0
• 1.2.1
• 1.2.2
• 1.2.3
• 1.2.4
• 1.2.5
• 1.3
• 1.3.0
• 1.3.1
• 1.3.2
• 2
• 2.0
• 2.0 Pre
• 2.0.0
• 2.0.1
• 2.0.2
• 2.0.3
• 2.0.3 417.9.3
• 2.0.4
• 2.0.4 419.3
• 3
• 3.0
• 3.0.0
• 3.0.0b
• 3.0.1
• 3.0.1b
• 3.0.2
• 3.0.2b
• 3.0.3
• 3.0.3b
• 3.0.4
• 3.0.4 Beta
• 3.0.4b
• 3.1
• 3.1.0
• 3.1.0b
• 3.1.1
• 3.1.2
• 3.2
• 3.2.0
• 3.2.1
• 3.2.2
• 3.2.3
• 4
• 4.0
• 4.0 Beta
• 4.0.0b
• 4.0.1
• 4.0.2
• 4.0.3
• 4.0.4
• 4.0.5
• 4.1
• 4.1.1
• 4.1.2
• 4.1.3
• 5
• 5.0
• 5.0.1
• 5.0.5
• 5.0.6
• 5.1
• 5.1.2
• 5.1.2 (7534.52.7)
• 5.1.4
• 5.1.7
• 6
• 6.0
• 6.0.1
• 6.0.2
• 6.0.3
• 6.0.4
• 6.0.5
• 6.1
• 6.1.1
• 6.1.2
• 6.1.3
• 6.1.4
• 6.1.5
• 6.1.6
• 6.2.0
• 6.2.1
• 6.2.2
• 6.2.3
• 6.2.4
• 6.2.6
• 6.2.7
• 6.2.8
• 7.0
• 7.0.1
• 7.0.2
• 7.0.3
• 7.0.4
• 7.0.5
• 7.0.6
• 7.1.0
• 7.1.1
• 7.1.2
• 7.1.3
• 7.1.4
• 7.1.5
• 7.1.6
• 7.1.7
• 7.1.8
• 8
• 8.0
• 8.0.0
• 8.0.1
• 8.0.2
• 8.0.3
• 8.0.4
• 8.0.5
• 8.0.6
• 8.0.7
• 8.0.8
• 9.0
• 9.0.1
• 9.0.2
• 9.0.3
• 9.1
• 9.1.1
• 9.1.2
• 10
• 10.0
• 10.0.1
• 10.0.2
• 10.0.3
• 10.1
• 10.1.1
• 10.1.2
• 10.5
• 10.5.3
• 10.5.6
• 10.5.8
• 11
• 11.0
• 11.0.1
• 11.0.2
• 11.0.3
• 11.1
• 11.1.1
• 11.1.2
• 12.0
• 12.0.1
• 12.0.2
• 12.0.3
• 12.1
• 12.1.1
• 12.1.2
• 13.0
• 13.0.1
• 13.0.2
• 13.0.3
• 13.0.5
• 13.1
• 13.1.1
• 13.1.2
• 14.0
• 14.0.1
• 14.0.2
• 14.0.3
• 14.1
• 14.1.1
• 14.1.2
• 15
• 15.0
• 15.2

License

• commercial

Website

• Vendor: https://www.apple.com/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Discussion