Patches have been released for a zero day vulnerability in Apple's iOS and iPadOS mobile operating systems, that the company says has been actively exploited in the wild.
“Apple is aware of a report that this issue may have been actively exploited,” the company said in documentation about the security updates without providing details about any attack.
The out-of-bounds write issue in the kernel, CVE-2022-42827, could enable an attacker to execute code with the highest privileges at the most fundamental level of the operating system.
Out-of-bounds write flaws allow applications to write data outside the intended buffer in memory, which can result in data corruption, crashes, and other unexpected behaviour.
Apple has patched the zero-day vulnerability in iOS 16.1 and iPadOS 16.
Its latest patches improve memory handling in the following devices:
- Phone 8 and later
- iPad Pro (all models)
- iPad Air 3rd generation and later
- iPad 5th generation and later
- iPad mini 5th generation and later
This vulnerability is the ninth zero-day bug to be fixed by Apple this year.
In January, it released updates for iOS 15 and iPadOS 15 that fixed, among other flaws, a buffer overflow issue that let an app execute arbitrary code with kernel privileges.
In February, Apple patched another actively exploited zero-day in WebKit that that is allowed threat actors to execute arbitrary code to compromise iPads, iPhones and MacOS devices.
And in August the company released patches for another bug CVE-2022-32894 affecting the kernel, which could allow attackers to take control of the device; in September another zero day CVE-2022-32917 affecting iPhones and iPads was fixed.
In total, Apple has patched 106 vulnerabilities, including multiple critical ones, with today's set of updates, the SANS Internet Storm Centre noted.