What is Apple iOS and iPadOS?
iOS and iPadOS are Apple's operating systems for iPhones and iPads. The XNU kernel at the heart of these systems manages hardware resources, enforces security boundaries, and controls access to sensitive capabilities. Kernel-level code runs with the highest system privileges, making kernel vulnerabilities among the most severe on the platform — they bypass all user-space and sandbox security controls.
Overview
CVE-2022-42827 is a kernel out-of-bounds write vulnerability in Apple iOS and iPadOS. An application can exploit the flaw to execute arbitrary code with kernel privileges, enabling a complete sandbox escape and full device compromise. Apple confirmed active exploitation at the time of patching and added the vulnerability to the CISA KEV catalog the day after the iOS 16.1 release.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| iOS | < 16.1 | 16.1 |
| iPadOS | < 16 | 16 |
Earlier versions (iOS 15.x and below) were not addressed in this advisory.
Technical Details
The vulnerability is an out-of-bounds write (CWE-787) in the XNU kernel. Out-of-bounds writes occur when code writes data past the end of an allocated buffer, potentially corrupting adjacent memory including kernel data structures, function pointers, or security enforcement state.
- Attack vector: Local — an attacker needs code execution in a sandboxed app, making this a privilege escalation step typically chained after a renderer or WebKit exploit
- Complexity: Low — reliable exploitation does not require defeating additional mitigations beyond the initial memory corruption
- User interaction: Required — a user must open or interact with a malicious app
- Impact: Full kernel code execution, allowing bypass of all iOS security boundaries including the app sandbox, pointer authentication (PAC), and app isolation
The specific kernel subsystem affected was not publicly disclosed by Apple.
Discovery
Reported by an anonymous researcher, as acknowledged in Apple's security advisory for iOS 16.1 and iPadOS 16.
Exploitation Context
Apple confirmed in-the-wild exploitation at time of disclosure. Given the kernel privilege escalation primitive, this class of vulnerability is frequently used by commercial surveillance software (spyware) vendors and state-linked actors in multi-stage mobile exploit chains — typically following a WebKit or application-layer initial access exploit to achieve full device compromise.
Remediation
- Update iPhones to iOS 16.1 or later
- Update iPads to iPadOS 16 or later
- Enable automatic updates: Settings → General → Software Update → Automatic Updates
- If update is not immediately possible, restrict app installation to App Store–vetted apps only and avoid clicking links from untrusted sources
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2022-42827 |
| Vendor / Product | Apple — iOS and iPadOS |
| NVD Published | 2022-11-01 |
| NVD Last Modified | 2025-10-23 |
| CVSS 3.1 Score | 7.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| Severity | HIGH |
| CWE | CWE-787 find similar ↗ |
| CISA KEV Added | 2022-10-25 |
| CISA KEV Deadline | 2022-11-15 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2022-10-24 | Apple releases iOS 16.1 and iPadOS 16 patching this vulnerability |
| 2022-10-25 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2022-11-15 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Apple Security Advisory — iOS 16.1 and iPadOS 16 | Vendor Advisory |
| NVD — CVE-2022-42827 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |