Search
On this page ▾
CVE-2024-23222 — Apple Multiple Products WebKit Type Confusion Vulnerability

CVE-2024-23222

Apple WebKit — Zero-Day Type Confusion in JavaScript Engine Enables RCE via Malicious Web Content; First iOS Zero-Day of 2024
⚠️ CVSS 3.1  8.8 / 10 — HIGH 🔴 CISA Known Exploited Vulnerability

What is Apple WebKit?

WebKit is Apple's open-source web rendering and JavaScript execution engine, used as the foundation of Safari on all Apple platforms and — uniquely — required for all web browsers on iOS and iPadOS (App Store policy mandates that all iOS browsers use WebKit, not alternative engines). WebKit's JavaScript engine (JavaScriptCore) JIT-compiles JavaScript to native machine code. Type confusion vulnerabilities in JIT compilers arise when the engine's optimization makes incorrect assumptions about object types, leading to memory operations using wrong type layouts — a class of bug with a well-established path to remote code execution via crafted web content.

Overview

CVE-2024-23222 is the first iOS zero-day of 2024 — a type confusion vulnerability in Apple WebKit's JavaScript engine that allows an unauthenticated attacker to achieve remote code execution when a victim visits a malicious web page in Safari or any iOS browser. Apple confirmed "Apple is aware of a report that this issue may have been exploited," indicating active exploitation in targeted attacks. It was patched in emergency updates on January 22, 2024, and CISA added it to the KEV catalog the following day.

Affected Versions

Platform Patched Version
iOS 17.3 / 16.7.5
iPadOS 17.3 / 16.7.5
macOS Sonoma 14.3
macOS Ventura 13.6.4
macOS Monterey 12.7.3
tvOS 17.3
Safari 17.3
visionOS 1.0.2

Technical Details

CWE-843 (Access of Resource Using Incompatible Type — Type Confusion). The WebKit JavaScript engine contains a type confusion vulnerability in its object type system. JIT-compiled JavaScript relies on assumptions about object types to emit efficient native code — skipping runtime type checks when the type is "known" at compile time. A crafted JavaScript object can violate these type assumptions, causing the JIT-compiled code to treat an object as the wrong type. Memory read/write operations using the wrong type layout can then be used to achieve a controlled out-of-bounds read or write.

The typical exploitation path:

  1. Victim visits a malicious webpage in Safari or any iOS browser (all iOS browsers must use WebKit)
  2. The malicious JavaScript triggers the type confusion in the JIT-compiled code path
  3. Controlled memory corruption is used to build a JIT bypass and arbitrary read/write primitive
  4. Arbitrary code execution in the WebKit renderer process context

On macOS, this gives code execution in the browser's sandboxed renderer. On iOS, the absence of a JIT sandbox on older devices and the limited sandboxing on newer ones may allow additional access. A complete exploit chain would pair this with a sandbox escape for full device compromise.

Discovery

Reported to Apple under the standard vulnerability disclosure process; the "Apple is aware of a report that this issue may have been exploited" language indicates the original report came from a security researcher who observed active exploitation (likely Google TAG, Citizen Lab, or a vendor conducting mobile threat intelligence). The emergency patch release without waiting for the next regular security cycle reflects Apple's judgment that the exploitation risk warranted immediate patching.

Exploitation Context

WebKit zero-days in January set the tone for the year's iOS exploit market. Type confusion vulnerabilities in WebKit are the primary initial code execution step in commercial iOS spyware chains (Pegasus, Predator, QuaDream's Reign) because: (1) all iOS browsers must use WebKit, making Safari-compatible exploits universal, (2) a malicious web page is a zero-click or one-click delivery mechanism requiring no app installation, and (3) the WebKit rendering engine has a large, complex attack surface that continues to yield vulnerabilities despite Apple's extensive hardening.

Remediation

  1. Update immediately: iOS 17.3 or 16.7.5, iPadOS 17.3 or 16.7.5, macOS Sonoma 14.3, macOS Ventura 13.6.4, macOS Monterey 12.7.3, tvOS 17.3, and Safari 17.3.
  2. Enable Lockdown Mode on Apple devices used by high-risk individuals (journalists, activists, executives, government officials) — it disables JIT compilation in WebKit, eliminating many JIT-based exploit primitives.
  3. Keep all Apple devices on auto-update to minimize the window between patch release and deployment.
  4. For organizations managing fleets of Apple devices: enforce minimum OS version requirements via MDM (Apple Business Manager / Jamf / Mosyle).

Key Details

PropertyValue
CVE ID CVE-2024-23222
Vendor / Product Apple — Multiple Products
NVD Published2024-01-23
NVD Last Modified2026-04-03
CVSS 3.1 Score8.8
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
SeverityHIGH
CWE CWE-843 find similar ↗
CISA KEV Added2024-01-23
CISA KEV Deadline2024-02-13
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2024-02-13. Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Timeline

DateEvent
2024-01-22Apple releases emergency patches for iOS 17.3, iPadOS 17.3, macOS Sonoma 14.3, tvOS 17.3, Safari 17.3 patching CVE-2024-23222
2024-01-23CVE published; CISA adds to KEV the same day — confirming zero-day exploitation
2024-02-13CISA BOD 22-01 remediation deadline

References

ResourceType
Apple Security Advisory — iOS 17.3 and iPadOS 17.3 Vendor Advisory
Apple Security Advisory — macOS Sonoma 14.3 Vendor Advisory
NVD — CVE-2024-23222 Vulnerability Database
CISA KEV Catalog Entry US Government

Last updated: 2026-05-20

Suggest an update ↗

Gavin Hollinger & AI assembled this air-gap friendly HTML