What is AppleAVD?
AppleAVD is Apple's proprietary audio/video decoder framework, responsible for hardware-accelerated media decoding on Macs, iPhones, and iPads. It processes media file formats and codec data, including content from the web, local files, and streaming services. Because AppleAVD interacts with hardware decoders and operates close to the kernel, vulnerabilities in it can allow an attacker to escalate from sandboxed media-processing code to full kernel privileges.
Overview
CVE-2022-22675 is an out-of-bounds write (CWE-787) in Apple's AppleAVD audio/video decoder component. Processing a maliciously crafted media file can trigger the vulnerability, allowing an application to execute arbitrary code with kernel privileges. Apple patched the flaw on March 31, 2022 in macOS Monterey 12.3.1 and iOS/iPadOS 15.4.1 — confirming active in-the-wild exploitation. CISA added it to KEV four days after the patch, and it was patched alongside CVE-2022-22674 (an Intel Graphics driver kernel read vulnerability) in the same emergency release.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| macOS Monterey | < 12.3.1 | 12.3.1 |
| iOS | < 15.4.1 | 15.4.1 |
| iPadOS | < 15.4.1 | 15.4.1 |
Technical Details
The vulnerability is an out-of-bounds write (CWE-787) in the AppleAVD framework. Processing a crafted media file causes a write past the bounds of an allocated buffer, enabling corruption of adjacent memory — potentially including kernel data structures.
- Attack vector: Local — the attacker must deliver a malicious media file (image, video, audio) that gets processed by AppleAVD on the victim device
- Privileges required: None beyond the ability to open or receive a file
- User interaction: Required — victim must open or play the malicious media content
- Impact: Kernel code execution; complete device or system compromise
- Chain context: Typically paired with a remotely deliverable initial-access vector (e.g., a WebKit or iMessage bug) that causes the malicious media to be parsed; the AppleAVD bug then escalates to kernel
Discovery
Reported by an anonymous researcher, as credited in Apple's security advisories.
Exploitation Context
Apple confirmed active in-the-wild exploitation at time of disclosure. The emergency patch cadence (mid-cycle release rather than waiting for a monthly update), the immediate CISA KEV addition, and the anonymous reporter all point to targeted exploitation by commercial spyware vendors or nation-state actors conducting high-value surveillance operations.
Remediation
- Update Macs to macOS Monterey 12.3.1 or later
- Update iPhones and iPads to iOS/iPadOS 15.4.1 or later
- Enable automatic updates to ensure future emergency patches are applied promptly
- For managed device fleets, enforce minimum OS version via MDM and prioritize emergency patch compliance within hours of release
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2022-22675 |
| Vendor / Product | Apple — macOS |
| NVD Published | 2022-05-26 |
| NVD Last Modified | 2025-10-23 |
| CVSS 3.1 Score | 7.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| Severity | HIGH |
| CWE | CWE-787 find similar ↗ |
| CISA KEV Added | 2022-04-04 |
| CISA KEV Deadline | 2022-04-25 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2022-03-31 | Apple releases macOS Monterey 12.3.1 and iOS/iPadOS 15.4.1 patching CVE-2022-22675 and CVE-2022-22674 |
| 2022-04-04 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2022-04-25 | CISA BOD 22-01 remediation deadline |
| 2022-05-26 | CVE published |
References
| Resource | Type |
|---|---|
| Apple Security Advisory — macOS Monterey 12.3.1 | Vendor Advisory |
| Apple Security Advisory — iOS 15.4.1 and iPadOS 15.4.1 | Vendor Advisory |
| NVD — CVE-2022-22675 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |