What is the CVSS score of CVE-2024-23222?

CVE-2024-23222 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.6%.

Which versions of Apple WebKit are affected by CVE-2024-23222?

Apple WebKit vulnerability (CVE-2024-23222) enables arbitrary code execution on all Apple platforms-iOS, iPadOS, macOS, tvOS, and visionOS-through malicious web content, with confirmed actively…

Is CVE-2024-23222 being actively exploited?

Yes, CVE-2024-23222 is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, confirming active in-the-wild exploitation. Immediate patching is required.

How to fix or mitigate CVE-2024-23222?

Within 24 hours: Inventory all Apple devices in your environment and identify those accessing untrusted web content or managing sensitive data; assess direct and network connections to critical systems. Within 7 days: Deploy enhanced web filtering, restrict JavaScript execution on untrusted domains, enforce application control policies, and segment affected devices from critical infrastructure networks. Within 30 days: Establish continuous monitoring of Apple security advisories; develop and test a rapid patch deployment plan for all variants (iOS 18.x, iPadOS 18.x, macOS 15.x, tvOS 18.x, visionOS 2.x); re-evaluate browser policies for sensitive operations.

Apple WebKit CVE-2024-23222

HIGH

Access of Resource Using Incompatible Type (Type Confusion) (CWE-843)

2024-01-23 product-security@apple.com

RCE Memory Corruption Apple

8.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Added to CISA KEV

Apr 03, 2026 - 11:42 cisa

CISA KEV

CVE Published

Jan 23, 2024 - 01:15 nvd

HIGH 8.8

DescriptionNVD

A type confusion issue was addressed with improved checks. This issue is fixed in Safari 17.3, iOS 15.8.7 and iPadOS 15.8.7, iOS 16.7.5 and iPadOS 16.7.5, iOS 17.3 and iPadOS 17.3, macOS Monterey 12.7.3, macOS Sonoma 14.3, macOS Ventura 13.6.4, tvOS 17.3, visionOS 1.0.2. Processing maliciously crafted web content may lead to arbitrary code execution. This fix associated with the Coruna exploit was shipped in iOS 17.3 on January 22, 2024. This update brings that fix to devices that cannot update to the latest iOS version.

AnalysisAI

Arbitrary code execution in Apple WebKit affects Safari and the system browser engine across iOS, iPadOS, macOS, tvOS, and visionOS, where a type confusion flaw allows attackers to execute code via maliciously crafted web content. The vulnerability is confirmed actively exploited (CISA KEV) and was used in the Coruna exploit chain against older iOS devices before being backported to legacy versions. EPSS sits at 0.62% (70th percentile), consistent with targeted exploitation rather than mass scanning.

Technical ContextAI

WebKit is Apple's browser engine that powers Safari and is mandatorily used by all third-party iOS browsers under App Store rules, giving it an enormous attack surface across Apple's ecosystem. CWE-843 (Access of Resource Using Incompatible Type, or 'type confusion') means the engine's JavaScript or DOM handling code interprets an object of one type as another - typically allowing an attacker to manipulate memory layout, bypass bounds, and pivot to arbitrary read/write primitives that lead to native code execution within the renderer process. The CPE coverage spans iPadOS, iPhone OS, macOS, and tvOS, indicating the flaw is in the shared WebKit codebase rather than a platform-specific binding.

RemediationAI

Vendor-released patches: update to Safari 17.3, iOS/iPadOS 15.8.7, iOS/iPadOS 16.7.5, iOS/iPadOS 17.3, macOS Monterey 12.7.3, macOS Ventura 13.6.4, macOS Sonoma 14.3, tvOS 17.3, or visionOS 1.0.2 - the backport to 15.x and 16.x is specifically intended for devices that cannot move to the latest major OS. In enterprise fleets, push the updates via MDM (Apple Configurator, Jamf, Intune) and verify via build numbers in the device inventory. If immediate patching is impossible, enable Lockdown Mode on high-risk users' devices (which disables several WebKit JIT and complex web technologies at the cost of broken sites and reduced functionality), restrict browsing to a hardened reverse-proxy or enforce SafeSearch/category filtering to reduce drive-by exposure, and educate users not to follow links from untrusted sources. Note that because all third-party iOS browsers use WebKit, switching browsers on iOS does not mitigate the issue.

More from same product – last 7 days

CVE-2026-47114 HIGH This Week POC

8.6 May 21

Arbitrary command execution in IINA media player for macOS versions prior to 1.4.3 allows remote attackers to run shell

CVE-2026-44739 HIGH This Week

8.7 May 27

SQL injection in Pimcore's CustomReportsBundle (versions ≤ 12.3.5) lets an authenticated user holding the reports_config

CVE-2026-5817 HIGH This Week

8.2 May 22

Arbitrary code execution in Docker Model Runner's vllm-metal inference backend on macOS allows any container on the Dock

CVE-2026-5843 HIGH This Week

8.2 May 22

Arbitrary code execution in Docker Desktop's Model Runner on macOS allows any container on the Docker network to escape

CVE-2025-43306 HIGH This Week

7.8 May 26

Local privilege escalation in Apple macOS allows a malicious app already running with low privileges to elevate to root

CVE-2024-23222 vulnerability details – vuln.today

Back

Apple WebKit CVE-2024-23222

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code