Search
On this page ▾
CVE-2022-22587 — Apple Memory Corruption Vulnerability

CVE-2022-22587

Apple iOS/iPadOS/macOS — IOMobileFrameBuffer Memory Corruption Enables Kernel Privilege Escalation
🔥 CVSS 3.1  9.8 / 10 — CRITICAL 🔴 CISA Known Exploited Vulnerability

What is IOMobileFrameBuffer?

IOMobileFrameBuffer is an Apple kernel extension (kext) responsible for managing the display framebuffer on iOS, iPadOS, and macOS devices. As a kernel driver, it operates in ring 0 — the highest privilege level. Vulnerabilities in kernel extensions are especially dangerous because successful exploitation grants an attacker full control over the device at the OS level, bypassing all application sandboxing and security controls.

Overview

CVE-2022-22587 is a memory corruption vulnerability in the IOMobileFrameBuffer kernel extension affecting iOS, iPadOS, and macOS. A malicious application that exploits this flaw can execute arbitrary code with kernel privileges — effectively achieving a full device compromise from a sandboxed application. Apple stated in its advisory that it was "aware of a report that this issue may have been actively exploited," a phrase Apple uses to confirm in-the-wild exploitation. CISA added this to the KEV catalog just two days after Apple's patch was released, reflecting the urgency. CVSS 9.8.

Affected Versions

Platform Vulnerable Fixed
iOS Before 15.3 iOS 15.3
iPadOS Before 15.3 iPadOS 15.3
macOS Monterey Before 12.2 macOS Monterey 12.2

Technical Details

The vulnerability is a memory corruption flaw (CWE-787 — out-of-bounds write) in the IOMobileFrameBuffer kernel extension. The exact mechanism was not disclosed by Apple (consistent with their standard policy of withholding technical details until the majority of users update).

IOMobileFrameBuffer vulnerabilities are part of a known class of iOS kernel exploits. The kernel extension handles IOKit user-client requests from applications — a programming interface that allows sandboxed applications to communicate with kernel drivers via documented APIs. Bugs in IOKit user-client dispatch functions have been a recurring source of iOS kernel exploits for years (similar to earlier IOMobileFrameBuffer bugs like CVE-2021-30807 and CVE-2022-22590).

The exploitation flow:

  1. Attacker delivers a malicious application (via App Store or sideloading on jailbroken devices) or exploits another vulnerability to run code in a sandboxed context
  2. The malicious code sends crafted IOKit requests to the IOMobileFrameBuffer user-client
  3. Memory corruption in the kernel driver allows escaping the sandbox and achieving kernel code execution
  4. With kernel privileges, the attacker can disable security features, install persistent implants, or access all device data

Discovery

Apple's advisory credited "an anonymous researcher" with discovering the vulnerability. The rapid KEV addition and Apple's in-the-wild exploitation disclosure suggest this may have been discovered during forensic investigation of an already-compromised device, or reported by a threat intelligence firm.

Exploitation Context

IOMobileFrameBuffer vulnerabilities have been favored by iOS exploit developers — including commercial surveillance vendors — because they provide a reliable kernel exploitation primitive. The "may have been actively exploited" language in Apple's advisory is notable: Apple uses this language very conservatively, only when exploitation has been confirmed.

This class of vulnerability is typically used as a privilege escalation or sandbox escape step in a longer exploit chain:

  • Spyware implants: Following initial delivery (via browser, messaging app, or phishing), the kernel exploit completes full device compromise and persistent implant installation
  • Jailbreaking tools: Kernel exploits enable jailbreak development, though this CVE predates public jailbreak use
  • Government/law enforcement tools: Zero-click and one-click iOS chains used by surveillance vendors (NSO Group, Pegasus, etc.) rely on kernel exploits of this type

Remediation

  1. Update immediately: Install iOS 15.3, iPadOS 15.3, or macOS Monterey 12.2 via Settings > General > Software Update.
  2. Enable automatic updates: Settings > General > Software Update > Automatic Updates — ensure both download and install are enabled.
  3. Apply to all devices: This affects all iPhones, iPads, and Macs in the environment. Mobile device management (MDM) platforms should be used to enforce and verify patching at scale.
  4. Investigate high-risk individuals: For organizations with executives, journalists, or activists who may be targets of sophisticated threat actors, consider using Apple's Lockdown Mode (iOS 16+) for high-risk devices.
  5. Review app permissions: Unusual applications requesting excessive permissions may be vectors for exploitation — review installed app inventory.

Key Details

PropertyValue
CVE ID CVE-2022-22587
Vendor / Product Apple — iOS and macOS
NVD Published2022-03-18
NVD Last Modified2025-10-23
CVSS 3.1 Score9.8
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SeverityCRITICAL
CWE CWE-787 find similar ↗
CISA KEV Added2022-01-28
CISA KEV Deadline2022-02-11
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2022-02-11. Apply updates per vendor instructions.

Timeline

DateEvent
2022-01-26Apple released iOS 15.3, iPadOS 15.3, macOS Monterey 12.2 with the fix
2022-01-28Added to CISA Known Exploited Vulnerabilities catalog
2022-02-11CISA BOD 22-01 remediation deadline
2022-03-18CVE formally published to NVD

References

ResourceType
NVD — CVE-2022-22587 Vulnerability Database
CISA KEV Catalog Entry US Government
Apple Security Updates — iOS 15.3 and iPadOS 15.3 Vendor Advisory
Apple Security Updates — macOS Monterey 12.2 Vendor Advisory

Last updated: 2026-05-20

Suggest an update ↗

Gavin Hollinger & AI assembled this air-gap friendly HTML