CVE-2022-48618

What is Apple Pointer Authentication?

Pointer Authentication (PAC) is a hardware security feature on Apple Silicon (arm64e architecture, introduced with A12 Bionic) that cryptographically signs code and data pointers stored in memory. When a signed pointer is loaded and used, the processor verifies the cryptographic signature before allowing execution or data access — preventing an attacker who achieves arbitrary write capability from redirecting control flow to attacker-controlled addresses. PAC effectively raises the bar for exploiting memory corruption vulnerabilities: a write primitive alone is insufficient; the attacker must also forge a valid cryptographic signature. A time-of-check/time-of-use vulnerability that bypasses PAC's verification step eliminates this protection, making PAC bypass a critical enabling step in kernel exploit chains targeting modern Apple devices.

Overview

CVE-2022-48618 is a time-of-check/time-of-use (TOCTOU) race condition (CWE-367) in Apple's kernel that allows a local attacker with read and write capabilities to bypass Pointer Authentication Code (PAC) protection. Apple patched it in December 2022 as part of iOS 16.2, macOS Ventura 13.1, tvOS 16.2, and watchOS 9.2. The CVE was not published to NVD until January 9, 2024 — 13 months after the patch — following the pattern of delayed registration common to Apple kernel vulnerabilities. CISA added it to the KEV catalog on January 31, 2024.

The 7.0 HIGH CVSS score reflects the AC:H (high complexity) precondition of a race condition — the attacker must win a timing race to trigger the TOCTOU window — but C:H/I:H/A:H captures the full system compromise potential once PAC is bypassed.

Affected Versions

Technical Details

A time-of-check/time-of-use (TOCTOU) race condition (CWE-367) in Apple's kernel occurs when two operations — checking a pointer's validity and using the pointer — are not atomic. In PAC-protected execution, the kernel checks a pointer's cryptographic signature at one point in time (time-of-check) and then uses the pointer at a later point (time-of-use). If an attacker can modify the pointer's value in the window between the check and the use — for example, by racing a concurrent thread — the use proceeds with a pointer whose signature was validated for a different address than the one actually used.

The exploitation chain:

1. Obtain a write primitive — the attacker achieves some kernel memory write capability (e.g., via a separate heap corruption vulnerability)
2. Race the TOCTOU window — trigger the PAC pointer verification and simultaneously race to swap the underlying pointer value before the kernel uses it
3. Redirect execution — the pointer now points to attacker-controlled memory rather than the signed original, with the signature check having passed, bypassing PAC's protection
4. Achieve arbitrary kernel code execution — with PAC bypassed, the attacker can redirect kernel control flow, enabling privilege escalation to root and full device compromise

The PR:L (low privilege required) reflects that the initial write primitive required to trigger the race typically requires some local code execution; this CVE provides the PAC bypass stage, not the initial write.

Discovery

Apple credited no external researcher in the iOS 16.2 advisory for CVE-2022-48618, suggesting it was reported via Apple's private vulnerability program or discovered internally. The 13-month gap between patch and NVD registration is typical for Apple kernel vulnerabilities that are patched before the CVE registration process completes through NVD's pipeline.

Exploitation Context

PAC bypass vulnerabilities are essential components of kernel exploit chains targeting modern Apple devices. Without a PAC bypass, an attacker who achieves a kernel write primitive on arm64e devices cannot reliably redirect execution to arbitrary code — PAC validation will cause a panic on any attempt to use a forged pointer. CVE-2022-48618 provides the TOCTOU-based PAC bypass that converts a limited kernel write into full arbitrary code execution.

The combination of a kernel write primitive and CVE-2022-48618's PAC bypass enables:

• Disabling kernel security checks and code-signing enforcement
• Loading unsigned kernel extensions or shellcode
• Accessing credential stores and keychain data
• Installing persistent kernel-level implants that survive reboots

The pattern of late NVD registration and delayed KEV addition — patch in December 2022, KEV in January 2024 — is consistent with retrospective attribution after forensic analysis of a device where this PAC bypass was observed in an active exploit chain.

Remediation

1. Update to iOS/iPadOS 16.2 — apply via Settings → General → Software Update; the December 2022 update patches CVE-2022-48618.
2. Update macOS to Ventura 13.1 — apply via Software Update.
3. Keep Apple devices on current software — Apple patches kernel vulnerabilities including PAC bypass issues in regular OS updates; maintaining current software minimizes the kernel exploitation attack surface.
4. Enable Lockdown Mode for high-risk individuals — Lockdown Mode restricts functionality that can be used to achieve initial code execution as a prerequisite for kernel exploitation.
5. Enforce MDM minimum OS version — Mobile Device Management policies can enforce minimum iOS/macOS version requirements for enrolled devices; quarantine non-compliant devices.