CVE-2022-43454
Published: 10 March 2025
Description
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Security Summary
CVE-2022-43454 is a double free vulnerability (CWE-415) addressed through improved memory management in Apple's operating systems. It affects macOS Ventura prior to version 13.1, watchOS prior to 9.2, iOS prior to 16.2, iPadOS prior to 16.2, and tvOS prior to 16.2. The issue enables an app to execute arbitrary code with kernel privileges, earning a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A local attacker with no privileges required can exploit this vulnerability with low complexity, though it necessitates user interaction. Successful exploitation allows arbitrary kernel code execution, resulting in high impacts to confidentiality, integrity, and availability within the local attack surface.
Apple security advisories, including those at https://support.apple.com/en-us/102741, https://support.apple.com/en-us/102807, https://support.apple.com/en-us/102808, and https://support.apple.com/en-us/102836, confirm the issue was fixed in macOS Ventura 13.1, watchOS 9.2, iOS 16.2, iPadOS 16.2, and tvOS 16.2. Mitigation requires updating affected devices to these patched versions.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Double-free memory corruption enables arbitrary kernel code execution from a local app, directly mapping to exploitation for privilege escalation.