CVE-2022-32917

What is the Apple XNU Kernel?

The XNU kernel is the core of all Apple operating systems — iOS, iPadOS, macOS, tvOS, and watchOS. It manages hardware resources, enforces security boundaries between apps and the system, and provides the foundation for all platform security features including the app sandbox, code signing, and process isolation. A kernel privilege escalation means an attacker can bypass every user-space security control on the device.

Overview

CVE-2022-32917 is a kernel out-of-bounds write vulnerability affecting Apple iOS, iPadOS, and macOS. An application with local code execution can exploit the flaw to execute code with kernel-level privileges, enabling a complete sandbox escape and full device or system compromise. Apple confirmed active in-the-wild exploitation at time of disclosure. CISA added the vulnerability to KEV two days after the patch — the same day patches were publicly confirmed as addressing a zero-day.

Affected Versions

Technical Details

The vulnerability is an out-of-bounds write (CWE-787) in the XNU kernel. The exact subsystem was not publicly identified by Apple, consistent with the company's practice of limiting technical details on actively exploited kernel bugs.

• Attack vector: Local — requires an existing foothold (sandboxed app or other local execution)
• Privileges required: Low — a normal unprivileged application is sufficient to trigger the flaw
• User interaction: None — once an attacker has app-level execution, escalation to kernel is automatic
• Chaining model: This vulnerability is typically used as the second stage in a two-stage exploit chain. The first stage (WebKit, FaceTime, or other parser bug) achieves sandboxed code execution; this bug escalates to kernel for full device control

The out-of-bounds write allows corruption of kernel memory adjacent to the target buffer, enabling overwrite of security-critical kernel data structures such as task credentials or memory page protections.

Discovery

Reported by an anonymous researcher, as credited in Apple's security advisories for iOS 15.7 and macOS Monterey 12.6.

Exploitation Context

Apple confirmed exploitation in the wild prior to the September 12 patch release. The two-day gap between the patch and CISA's KEV addition is unusually fast, suggesting the urgency of real-world exploitation. Kernel privilege escalation vulnerabilities on Apple platforms are primarily used by commercial surveillance software (mercenary spyware) vendors and nation-state actors in full-device compromise chains targeting high-value individuals.

Remediation

1. Update iPhones and iPads to iOS/iPadOS 15.7 or later (or iOS 16 if device-compatible)
2. Update Macs to macOS Monterey 12.6 or later; apply Security Update 2022-005 for Big Sur
3. Enable automatic updates: System Preferences → Software Update → Automatically keep my Mac up to date
4. For enterprise device fleets, enforce minimum OS version via MDM (Jamf, Mosyle, Kandji) and flag non-compliant devices for emergency patching