CVE-2022-32894

What is the Apple XNU Kernel?

The XNU kernel is the foundation of all Apple operating systems — iOS, iPadOS, macOS, tvOS, and watchOS. It manages hardware resources, enforces the security boundary between the app sandbox and the operating system, and controls access to privileged capabilities. Kernel-level code execution bypasses every user-space security control, including the app sandbox, codesigning enforcement, and data protection. Kernel vulnerabilities are the most severe class of Apple platform vulnerability and are primarily exploited by commercial spyware and nation-state actors.

Overview

CVE-2022-32894 is an out-of-bounds write (CWE-787) in the Apple XNU kernel. An application can exploit the flaw to execute code with kernel-level privileges, enabling a complete sandbox escape and full device compromise. Apple released an emergency patch on August 17, 2022 alongside CVE-2022-32893 (a WebKit RCE), confirming that both vulnerabilities were being actively exploited together as a remote-to-kernel exploit chain. CISA added both to KEV the following day.

Affected Versions

Technical Details

The vulnerability is an out-of-bounds write (CWE-787) in the XNU kernel. The specific kernel subsystem was not publicly disclosed by Apple.

• Attack vector: Local — requires the attacker to have sandboxed app-level code execution first (typically achieved via CVE-2022-32893 or a similar WebKit/parser bug)
• Privileges required: None beyond app execution; the vulnerability itself does not require any elevated starting permissions
• User interaction: Required — in the full exploit chain, the victim must interact with malicious web content delivered via CVE-2022-32893
• Impact: Full kernel code execution — the attacker can read and write any memory, install persistent implants (kernel extensions or modified system binaries), disable security features, and exfiltrate all data on the device
• Chain role: This is the second stage of the WebKit + kernel two-stage chain. CVE-2022-32893 escapes to the renderer process from the web; CVE-2022-32894 then escapes from the app sandbox to the kernel

Discovery

Reported by an anonymous researcher, as credited in Apple's security advisories for iOS 15.6.1 and macOS Monterey 12.5.1.

Exploitation Context

Apple confirmed active exploitation in the wild. The joint release of CVE-2022-32893 (WebKit) and CVE-2022-32894 (kernel) in a single emergency patch confirms that both bugs were used together. This is the hallmark signature of a mercenary spyware or nation-state exploit chain targeting high-value individuals for full device compromise — delivering malicious web content for remote access, then escalating to kernel for stealth persistence and complete data access.

Remediation

1. Update to iOS/iPadOS 15.6.1 or later — this patches both the WebKit and kernel vulnerabilities simultaneously
2. Update Macs to macOS Monterey 12.5.1 or later
3. Enable automatic updates to receive future emergency patches without delay
4. Enterprise MDM administrators should enforce minimum OS version and flag non-compliant devices for immediate action