The vulnerabilities could allow threat actors to disrupt or access kernel activity and may be under active exploit.
Apple rushed out patches for two zero-days affecting macOS and iOS Thursday, both of which are likely under active exploitation and could allow a threat actor to disrupt or access kernel activity.
Apple released separate security updates for the bugs – a vulnerability affecting both macOS and iOS tracked as CVE-2022-22675 and a macOS flaw tracked as CVE-2022-22674. Their discovery was attributed to an anonymous researcher.
CVE-2022-22675 – found in the AppleAVD component present in both macOS and iOS – could allow an application to execute arbitrary code with kernel privileges, according to the advisory.
“An out-of-bounds write issue was addressed with improved bounds checking,” according to the advisory. “Apple is aware of a report that this issue may have been actively exploited.”
CVE-2022-22674 is described in the advisory as an “out-of-bounds read issue” in the Intel Graphics Driver of macOS that could allow an application to read kernel memory. Apple addressed the bug – which also may have been actively exploited – with improved input validation, the company said.
As is typical, Apple didn’t disclose more specifics