CVE-2022-42856

What is Apple WebKit?

WebKit is Apple's browser rendering engine powering Safari and all third-party browsers on iOS and iPadOS — Apple's platform policy requires every iOS/iPadOS browser to use WebKit as its underlying engine. Type confusion (CWE-843) in WebKit's JavaScript engine (JavaScriptCore) or DOM implementation occurs when the engine incorrectly assigns one type to a heap-allocated object while treating it as another type during subsequent operations. This allows reads and writes at offsets appropriate for the assumed type but not the actual type, producing out-of-bounds heap access that can corrupt adjacent objects and ultimately redirect execution. WebKit zero-days — particularly those exploited against legacy iOS device populations that cannot upgrade to iOS 16 — receive the highest urgency response from both Apple and CISA.

Overview

CVE-2022-42856 is a type confusion vulnerability (CWE-843) in Apple WebKit that allows an attacker to achieve arbitrary code execution by serving maliciously crafted web content to a victim's browser on iOS or iPadOS. Apple patched it in December 2022 as part of iOS 15.7.2 and iPadOS 15.7.2 — the update channel for devices unable to run iOS 16. The KEV addition date (December 14, 2022) is one day before the NVD publication date (December 15, 2022), reflecting CISA tracking Apple's advisory directly. Apple stated the vulnerability was actively exploited against iOS versions released before iOS 15.1.

Affected Versions

Note: iOS 16.2, released simultaneously for newer devices, also addressed related WebKit issues. CVE-2022-42856 is specifically associated with the iOS 15.7.2 release targeting older hardware. Apple noted active exploitation against "iOS versions released before iOS 15.1," indicating the vulnerability was present in the iOS 15.0 timeframe.

Technical Details

Type confusion (CWE-843) in WebKit's JavaScript engine arises when the JIT compiler or type inference system incorrectly classifies a JavaScript object's type. Crafted JavaScript sequences in a web page can induce the type system to treat an object as a different type than its actual runtime type. The exploit chain:

1. Serve malicious web content — deliver a crafted web page that exercises the specific JavaScript execution path triggering the type confusion
2. Trigger type mismatch — JavaScriptCore assigns an incorrect type to a heap-allocated object during JIT compilation or dynamic type inference
3. Out-of-bounds heap access — operations on the misidentified object read or write memory at an incorrect offset, corrupting adjacent heap objects
4. Control flow hijack — manipulate the corrupted heap to overwrite function pointers or vtable entries, redirecting WebKit process execution
5. Chain with sandbox escape — combine with a separate sandbox bypass to escape the WebKit renderer process and achieve full device compromise

The discovery attribution to Clément Lecigne of Google's Threat Analysis Group (TAG) places CVE-2022-42856 in the context of commercial surveillance vendor (spyware) exploit chain detection — TAG's analysis of targeted iOS devices is a primary source for Apple zero-day discovery.

Discovery

CVE-2022-42856 was discovered by Clément Lecigne of Google's Threat Analysis Group (TAG). Apple's advisory for iOS 15.7.2 credited Lecigne with discovery and stated that Apple was aware of reports that the vulnerability may have been actively exploited against iOS versions released before iOS 15.1.

The one-day pre-NVD CISA KEV add (December 14 KEV vs December 15 NVD) reflects the now-established pattern of CISA adding Apple security vulnerabilities based directly on Apple's advisories before NVD's CVE registration pipeline completes.

Exploitation Context

CVE-2022-42856 is specifically associated with older iOS device targeting — the iOS 15.x update channel serves devices that cannot upgrade to iOS 16, including iPhone 6s, iPhone 7, iPhone SE (1st generation), and older iPads. This device population is a persistent exploitation target because:

• Users of these devices permanently run older software once they leave Apple's iOS 16+ support window
• Commercial surveillance vendors (producers of mercenary spyware like Pegasus, Predator) maintain exploit chains targeting specific iOS versions, rotating to new zero-days when old ones are patched
• The active exploitation "before iOS 15.1" window suggests this zero-day was in use for over a year before TAG discovered it

The TAG attribution pattern — discovering this type confusion through forensic analysis of targeted individuals' devices — is consistent with mercenary spyware targeting of activists, journalists, or government officials.

Remediation

1. Update to iOS/iPadOS 15.7.2 — apply via Settings → General → Software Update; devices that cannot run iOS 16 should update to the latest iOS 15.x release.
2. Enable automatic updates — Apple delivers zero-day patches via automatic updates for iOS devices; enabling automatic updates minimizes exposure.
3. Enable Lockdown Mode for high-risk users — Lockdown Mode restricts WebKit JavaScript JIT and other features used in commercial surveillance exploit chains, significantly raising the cost of exploitation for targeted attacks.
4. Consider device replacement — devices permanently stuck on iOS 14.x or earlier cannot receive CVE-2022-42856's fix and should be replaced with hardware that supports iOS 16 or later.