Apple released patches for two zero-day vulnerabilities last Thursday, March 31, 2022. These exploits impact macOS 12.3 and iOS 15.4. At the time of writing, both updates were listed as “reserved” with very little information available.
CVE-2022-22675: reportedly relates to an out-of-bounds write issue in the AppleAVD media decoder. The patch improves bounds checking to address this issue.
CVE-2022-22674: is reported to be an out-of-bounds read issue impacting Intel Graphics Drivers that could lead to the disclosure of kernel memory. The patch improves input validation to stop the exploit.
There are unconfirmed reports of these zero-days being actively exploited. When zero-day patches are released with very little confirmed information, it often means the security impact is significant. We highly recommend that you update to macOS 12.3.1 and iOS 15.4.1 as soon as possible.
Kirk is a seasoned sysadmin with a thirst for knowledge and drive to improve the environments he works in. He was a PDQ employee.