One of the flaws is in WebKit and the other is in the kernel. Both vulnerabilities can lead to arbitrary code execution and Apple attributed the discovery of both to an anonymous researcher. Apple patched the flaws in iOS 15.6.1 and macOS Monterey 12.5.1.
Both of the vulnerabilities are out-of-bounds write flaws. Organizations that deploy Macs and iPhones or iPads in their environments should upgrade as soon as is practicable to avoid exploitation.
“An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited. An out-of-bounds write issue was addressed with improved bounds checking,” the Apple advisory for CVE-2022-32894, the kernel bug, says.
The WebKit flaw (CVE-2022-32893) is similar, but results from a victim viewing malicious content in a vulnerable browser.
Google has also released a fix for Chrome to patch a vulnerability that has been exploited in the wild. That bug is the result of insufficient input validation and was discovered by Google’s own Threat Analysis Group, which tracks advanced persistent threat teams and other high-end attackers. Google fixed the flaw (CVE-2022-2856) in Chrome 140, which the company released Tuesday.