Apple has urgently released fixes for two zero-day vulnerabilities in mobile and desktop operating systems that were exploited in real attacks.
The issues have been fixed as part of the iOS and iPadOS 15.4.1, macOS Monterey 12.3.1, tvOS 15.4.1 and watchOS 8.5.1 updates.
An out-of-range write vulnerability (CVE-2022-22675) in an audio and video decoding component called AppleAVD may allow an application to execute arbitrary code with kernel privileges. The vulnerability was eliminated by improved border checking.
The latest version of macOS Monterey, in addition to the fix for CVE-2022-22675, also includes a fix for an out-of-memory read vulnerability (CVE-2022-22674) in the Intel graphics driver module, which may allow an attacker to read kernel memory.
Due to the active exploitation of vulnerabilities, Apple iPhone, iPad and Mac users are strongly advised to update the software to the latest versions as soon as possible.