CVE-2022-22674

What is the Apple Intel Graphics Driver?

The Intel Graphics Driver (IGAccel, AGXMetal) is the macOS kernel extension responsible for managing Intel integrated graphics hardware on Mac computers. As a kernel driver, it runs in privileged kernel space and handles graphics memory management, command submission to the GPU, and hardware resource allocation. Out-of-bounds memory accesses in kernel drivers can expose sensitive kernel memory contents to user-space processes — a technique commonly used in privilege escalation chains to defeat ASLR or extract credentials from kernel memory.

Overview

CVE-2022-22674 is an out-of-bounds read vulnerability (CWE-125) in the macOS Intel Graphics Driver. A local application can trigger the vulnerability to read memory beyond the bounds of an intended kernel buffer, potentially exposing sensitive kernel memory contents to the calling process. Apple patched this in macOS Monterey 12.3.1 on March 31, 2022 — an emergency out-of-band update — and acknowledged exploitation in the wild. The update also patched the related CVE-2022-22675 (AppleAVD OOB write), suggesting both were components of an active exploit chain.

Affected Versions

Technical Details

The vulnerability is in the AGXMetal (Apple Graphics Acceleration) Intel GPU driver within the XNU kernel. User-space processes interact with the GPU driver via IOKit interfaces, submitting command buffers and requesting hardware resource operations. The driver's handling of a specific IOKit operation or command buffer parameter failed to properly validate that a read operation remained within the bounds of an allocated kernel buffer:

• Root cause: OOB read in the Intel GPU kernel driver — an application-controlled value causes the driver to read kernel memory beyond an intended boundary
• Exploitable data: Out-of-bounds reads in kernel drivers can expose kernel pointers, credentials, or other sensitive kernel data structures to user space
• Attack context: Local — requires a malicious application running on the Mac with at least standard user privileges
• Exploit chain use: The OOB read was patched simultaneously with CVE-2022-22675 (OOB write), suggesting these were used together — the read providing kernel ASLR bypass information for a subsequent write-based privilege escalation

Discovery

Apple credited an anonymous researcher. The emergency out-of-band timing (not a scheduled Patch Tuesday-equivalent) and the acknowledgment of active exploitation indicate this was discovered in the context of a live attack.

Exploitation Context

Apple's emergency March 2022 update acknowledged that Apple was aware of a report that this issue may have been actively exploited. The simultaneous patching of CVE-2022-22674 (OOB read) and CVE-2022-22675 (OOB write) in the same emergency update suggests they were part of a two-stage exploit chain: read to bypass KASLR, write to achieve kernel code execution and privilege escalation. Intel Mac-targeting exploits of this type are characteristic of commercial spyware chains sold to government customers.

Remediation

1. Update to macOS Monterey 12.3.1 or later immediately
2. Apple Silicon Macs are not affected — this is specific to the Intel GPU driver
3. Enable automatic security updates in System Preferences → Software Update
4. Treat any unexplained macOS Monterey system behavior prior to the patch date as potentially indicative of compromise; consult Apple Platform Security guidance for integrity verification