CVE-2022-22620

What is Apple WebKit?

WebKit is Apple's open-source browser rendering engine, used by Safari on macOS, iOS, and iPadOS, and — critically — required by Apple's iOS App Store policies to be the rendering engine for all browsers on iOS and iPadOS. This means that Chrome, Firefox, Edge, and every other browser on iPhone and iPad all use WebKit under the hood rather than their own engines (V8 for Chrome, SpiderMonkey for Firefox). A WebKit zero-day therefore affects every web browser on iOS/iPadOS simultaneously — a unique aspect of Apple's platform that dramatically increases the impact of WebKit vulnerabilities compared to browser vulnerabilities on other platforms.

Overview

CVE-2022-22620 is a high-severity use-after-free vulnerability (CWE-416, CVSS 8.8) in Apple WebKit, confirmed actively exploited as a zero-day. Processing maliciously crafted web content — visiting a malicious web page in Safari or any other browser on iOS/iPadOS — can trigger code execution in the rendering engine. Apple released emergency patches for iOS 15.3.1, iPadOS 15.3.1, and macOS Monterey 12.2.1 on February 10, 2022. Apple's advisory stated the vulnerability "may have been actively exploited." CISA added to KEV the following day.

Affected Versions

Note: Safari on older macOS versions (Big Sur, Catalina) also received a WebKit security update to address this vulnerability.

Technical Details

A use-after-free (CWE-416) in WebKit's HTML/JavaScript processing code — the web content parser or JavaScript engine — allows an attacker to trigger code execution through a sequence of DOM or JavaScript operations that free a WebKit object while a reference to it remains active.

The exploitation flow:

1. A user visits a malicious web page (or is redirected to one via a compromised page or malicious link)
2. JavaScript on the page manipulates WebKit objects in a sequence that frees an object while a dangling reference remains
3. The attacker reclaims the freed memory with attacker-controlled content through heap manipulation
4. When the dangling reference is dereferenced, execution is redirected to attacker-controlled code
5. Code execution occurs in the WebKit rendering process

On iOS, WebKit processes run in Apple's browser entitlement sandbox. A full device compromise typically requires chaining the WebKit RCE with a kernel privilege escalation vulnerability (such as a separate iOS kernel zero-day) to break out of the sandbox and achieve kernel-level access.

Discovery

Apple's advisory credited the discovery to an anonymous researcher. The immediate emergency release (outside Apple's normal patch cycle) and Apple's rare acknowledgment of active exploitation confirms this was a zero-day being used in attacks before the fix was available.

Exploitation Context

WebKit zero-days are among the most valuable exploit primitives for mobile surveillance operations:

• Commercial spyware: NSO Group's Pegasus and similar products chain WebKit zero-days with iOS kernel exploits for zero-click or one-click device compromise. The simultaneous impact on all iOS browsers (due to WebKit's mandatory use) makes WebKit exploits particularly efficient.
• Targeted surveillance: Zero-day exploits at this level are typically reserved for high-value targeting — journalists, activists, politicians, business executives, and government officials
• Watering hole attacks: Compromising websites frequently visited by target demographics to serve the exploit to visitors

Apple's emergency release reflects its matured response process for zero-day WebKit issues — the company maintains an internal threat intelligence capability through Apple Security Research that monitors for zero-day exploitation.

Remediation

1. Update iOS/iPadOS to 15.3.1 or later immediately: Go to Settings > General > Software Update. This zero-day affects every web browser on iPhone and iPad.
2. Update macOS to Monterey 12.2.1 or later: For macOS users, update via System Preferences > Software Update.
3. Enable automatic updates: Enable automatic security updates in iOS (Settings > General > Software Update > Automatic Updates) to receive future emergency patches.
4. Treat zero-day notifications seriously: When Apple states a vulnerability "may have been actively exploited," treat it as a confirmed zero-day and prioritize updating over convenience.
5. Enterprise MDM patch enforcement: Organizations managing iOS devices via MDM should push mandatory updates for zero-day advisories outside normal patch windows.