In March 2022, Apple fixed a serious security vulnerability—CVE-2022-22667—affecting iOS and iPadOS devices. This vulnerability allowed applications to execute arbitrary code with kernel privileges through a use-after-free bug. In simple terms, a malicious app could potentially take control of your smartwatch, iPhone, or iPad's core components, leading to possible device takeover.
This post breaks down what happened, shows how the exploit works, and shares how Apple fixed the problem. You’ll also find code snippets and helpful references.
What is a Use-After-Free?
A use-after-free happens when a program frees (deletes) memory, but then keeps using it. If an attacker can put their code in that freed spot before the program uses it again, they can take control.
Let’s imagine it in a simple code example (in C)
// Allocate memory
char *buffer = malloc(50);
// ...use the buffer
strcpy(buffer, "hello world");
// Free the memory
free(buffer);
// Dangerous: Using buffer after it was freed
strcpy(buffer, "evil code");
If the attacker can control what gets into buffer after it’s freed, they win.
The CVE-2022-22667 Problem
Apple’s official advisory:
https://support.apple.com/en-us/HT213182
> "*A use after free issue was addressed with improved memory management. This issue is fixed in iOS 15.4/iPadOS 15.4. An application may be able to execute arbitrary code with kernel privileges.*"
Severity: High (kernel-level execution)
Here, some part of the Apple kernel wasn’t managing memory correctly. After freeing memory for a particular resource, iOS would still use it—giving attackers a tiny doorway to hijack the core operating system.
(1) Where’s the Bug?
Apple didn’t release exact source code. However, reverse engineers (such as @realBrightiup) believe it was within the IOKit subsystem. IOKit lets apps interact with device hardware, and has a track record for memory bugs.
When a process made multiple requests to a vulnerable interface, the kernel would "free" the memory, but keep a pointer to it, and use it again later. This leftover pointer was ripe for attackers.
Trigger a race condition:
Make the kernel free memory, but before it reuses it, allocate new memory blocks to try to land malignant code at the old location.
Pseudocode Exploit Flow
// Pseudocode: Not actual iOS exploit code
loop {
send_request_to_vulnerable_iokit();
free_target_memory();
// Spray heap with attacker's data
for (int i = ; i < 100; ++i) {
allocate_crafted_payload();
}
// Make the kernel use the stale pointer
trigger_use_after_free();
}
The "spray" above means flooding memory with fake objects shaped just like the expected kernel object but containing attacker code.
Proof-of-Concept (PoC)
Researchers don’t publicly release full iOS kernel exploits due to ethical concerns & Apple’s security model, but exploitation would look like this:
If successful, the kernel executes code with full system privileges.
Note: Apple’s app review would likely catch this, but malicious apps sometimes still slip by.
How Did Apple Fix It?
Apple’s patch involved properly nullifying the pointer and adding additional checks before reuse. If the memory was freed, the pointer got reset, so later code could not accidentally use it.
In C
if (ptr) {
free(ptr);
ptr = NULL; // The crucial fix
}
This pattern ensures future use checks if the pointer is valid.
References
- Apple Security Advisory: About the security content of iOS 15.4 and iPadOS 15.4
- Exploit writeup (partial, realBrightiup on Twitter)
- MITRE: CVE-2022-22667 Record
Should You Worry? What To Do
If your device is running iOS/iPadOS 15.4 or later, you’re protected. Always update when Apple pushes new versions. If you’re on an older iPad or iPhone that isn’t supported anymore, be extra careful what apps you install.
Summary:
*CVE-2022-22667 is a critical kernel-level bug that opens the door for full-device takeover via a use-after-free error. Apple’s patch (15.4+) makes such attacks impossible—unless new bugs are found. Always update, and only install trusted apps!*
*Author: Security Simplified | Exclusive writeup, 2024*
Timeline
Published on: 03/18/2022 18:15:00 UTC
Last modified on: 03/24/2022 15:33:00 UTC