CVE-2022-32893

What is Apple WebKit?

WebKit is Apple's open-source browser engine used by Safari, all iOS/iPadOS browsers (all browsers on iOS are required to use WebKit), and a wide range of native apps that render web content. Because WebKit processes untrusted data from the internet, vulnerabilities in it are a primary remote code execution vector against Apple devices — the attacker only needs to deliver a malicious web page or embed malicious content in a WebKit-rendering view. WebKit bugs are among the most frequently exploited in targeted spyware attack chains.

Overview

CVE-2022-32893 is an out-of-bounds write (CWE-787) in Apple's WebKit browser engine. Processing a maliciously crafted web page can trigger the flaw and lead to arbitrary code execution in the WebKit renderer process. Apple released emergency patches for iOS 15.6.1, iPadOS 15.6.1, and macOS Monterey 12.5.1 on August 17, 2022 — one day before CISA added it to KEV — confirming active in-the-wild exploitation.

CVE-2022-32893 (WebKit RCE) and CVE-2022-32894 (kernel privilege escalation) were patched together in the same emergency release, forming a two-stage remote-to-kernel exploit chain.

Affected Versions

Technical Details

The vulnerability is an out-of-bounds write (CWE-787) in WebKit's JavaScript engine or HTML/CSS parsing infrastructure. The exact code path was not disclosed by Apple.

• Attack vector: Remote — the victim only needs to visit a malicious web page, receive a link, or open a malicious inline preview
• Privileges required: None — the attacker only needs to deliver content to a WebKit-rendering surface
• User interaction: Required — victim must open malicious web content
• Impact: Remote code execution in the WebKit renderer sandbox
• Chaining: WebKit exploits like this one are typically chained with a kernel privilege escalation (CVE-2022-32894) to escape the renderer sandbox and achieve full device control
• iOS scope: On iOS and iPadOS, all third-party browsers (Chrome, Firefox, Edge) use WebKit under the hood, making this a cross-browser vulnerability on Apple mobile platforms

Discovery

Reported by an anonymous researcher, as credited in Apple's security advisories.

Exploitation Context

Apple confirmed active exploitation in the wild. The simultaneous release of patches for both the WebKit RCE and the kernel EoP (CVE-2022-32894) in a single emergency update strongly suggests that both bugs were being used together as a complete remote compromise chain — delivering malicious web content for initial access and then escalating to kernel for persistence and full control. This pattern is characteristic of commercial spyware vendors (mercenary surveillance operators) and sophisticated state-sponsored actors.

Remediation

1. Update to iOS/iPadOS 15.6.1 or later on all iPhones and iPads
2. Update Macs to macOS Monterey 12.5.1 or later
3. Enable automatic updates to ensure future emergency patches are applied promptly
4. Be aware that on iOS all browsers (Chrome, Firefox, Edge) use WebKit — updating iOS is the only fix, not switching browsers