CVE-2022-48503

What is Apple JavaScriptCore?

JavaScriptCore (JSC) is Apple's open-source JavaScript engine, the runtime component of WebKit that executes JavaScript when a browser or app processes web content. JSC includes a multi-tier JIT (just-in-time) compiler that dynamically compiles frequently executed JavaScript into native machine code for performance. The JIT compiler and interpreter maintain typed value representations of JavaScript objects — type confusion vulnerabilities arise when the engine incorrectly treats a value as one type when it is actually another, enabling out-of-bounds reads or writes into the engine's internal structures. Like all WebKit vulnerabilities, JSC bugs affect every browser on iOS and iPadOS (platform policy requires all iOS browsers to use WebKit), as well as Safari on macOS.

Overview

CVE-2022-48503 is a type confusion vulnerability (CWE-843) in Apple JavaScriptCore that allows an attacker to achieve arbitrary code execution by serving maliciously crafted web content to a victim's browser. Apple patched it in July 2022 as part of iOS 15.6, macOS Monterey 12.5, Safari 15.6, tvOS 15.6, and watchOS 8.7. Despite the July 2022 patch, the CVE was not published to NVD until August 2023 — 13 months later. CISA added it to the KEV catalog in October 2025, over three years after the original fix, reflecting confirmed exploitation of devices still running pre-15.6 software.

The CISA requiredAction note that the product "could be end-of-life (EoL) and/or end-of-service (EoS)" reflects the targeting pattern: exploitation is directed at older iOS devices that are no longer receiving updates, where users are permanently stuck below the patched version.

Affected Versions

Technical Details

Type confusion (CWE-843) in JavaScriptCore occurs when the JIT compiler or interpreter assigns an incorrect type to a JavaScript value and subsequently performs operations assuming that type — reading or writing memory at an offset appropriate for the assumed type but not the actual type. The exploitation pattern:

1. Craft triggering JavaScript — construct JavaScript that exercises the type confusion path; the engine misidentifies the type of a heap-allocated JSC object
2. Achieve out-of-bounds access — the misidentified type causes the engine to read or write memory at an incorrect offset from the object, accessing adjacent heap contents
3. Escalate to code execution — with control over what the engine reads or writes in adjacent memory, manipulate JSC's internal structures (function pointers, JIT code regions, object layouts) to redirect execution
4. Escape the renderer sandbox — chain with a sandbox escape vulnerability to move from the renderer process to unrestricted execution on the device

The AV:N/UI:R profile reflects a classic drive-by scenario: the victim visits a malicious or compromised web page in Safari or any WebKit-based browser, which triggers the type confusion without any further interaction.

Discovery

Apple credited no external researcher in the iOS 15.6 advisory for CVE-2022-48503, consistent with disclosure via Apple's Security Research Device Program or a private submission. The 13-month NVD registration delay and subsequent 3+ year KEV timeline reflect a vulnerability that was patched in 2022 but whose active exploitation — primarily targeting legacy devices unable to upgrade — was confirmed years later.

Exploitation Context

CVE-2022-48503 follows the pattern of Apple WebKit/JSC vulnerabilities that remain exploitable years after patching because significant populations of legacy Apple devices cannot receive the fix:

• Devices that have reached Apple's end of software support cannot upgrade to iOS 15.6 or later, leaving the JSC vulnerability permanently unpatched
• Attackers targeting specific individuals with older devices (iPhone 6s, 7, older iPads) can use CVE-2022-48503 as a drive-by code execution primitive
• The 3+ year gap between patch and KEV add reflects the long exploitation tail of vulnerabilities affecting EoL Apple device populations — commercial surveillance vendors and nation-state actors maintain exploit chains against these devices because their owners cannot patch

The late KEV addition in October 2025 confirms that active exploitation of CVE-2022-48503 against legacy iOS device populations was still occurring over three years after the original fix.

Remediation

1. Update to iOS/iPadOS 15.6 or later — apply via Settings → General → Software Update; any device capable of running iOS 15.6 should be updated.
2. Retire devices that cannot reach iOS 15.6 — devices below the iOS 15 compatibility threshold cannot receive the JSC fix and present an unmitigable WebKit code execution risk; replace them with supported hardware.
3. Update macOS to Monterey 12.5 or later — apply via Software Update.
4. Enable automatic updates — automatic updates minimize the window between Apple patch release and installation.
5. Consider Lockdown Mode — for individuals who cannot replace legacy devices but face elevated threat, Lockdown Mode restricts WebKit JavaScript JIT functionality used in JSC exploit chains.