CVE-2022-42827 - How a Kernel Out-of-Bounds Write Bug in iOS Allowed Attackers to Run Code With Full Privileges

In October 2022, Apple released a security update for iPhones and iPads to patch a serious vulnerability known as CVE-2022-42827. This bug was found in the kernel, the core of the iOS operating system. Attackers could exploit this flaw to run any code they wanted with the same powers as the system itself, a dream scenario for hackers. Apple even acknowledged that they believed hackers were already using this vulnerability "in the wild" before it was fixed.

Let’s break down what the bug was, how it could be exploited, and what Apple did to fix it.

What Was CVE-2022-42827?

CVE-2022-42827 was an out-of-bounds write issue in the iOS and iPadOS kernel. This means that, due to a programming mistake, certain code in the kernel could write data outside of the area of memory it was supposed to access. If an attacker could control what was written and where, they could overwrite important data — like security checks or function pointers — and take control of the whole system.

According to Apple’s security advisory

> An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS 15.7.1, iPadOS 15.7.1, iOS 16.1 and iPadOS 16.  
> - Original advisory

How Dangerous Was It?

Out-of-bounds write bugs are among the most dangerous in software because they can change what the program does in unpredictable and usually dangerous ways. In the case of CVE-2022-42827, it was possible for an application (including a malicious app from the App Store if it could bypass other app review static checks or get side-loaded) to trigger this vulnerability and run arbitrary code with kernel privileges. In plain terms: the attacker would have the same power over the device as the operating system itself.

Technical Details

The technical heart of this bug was a lack of proper bounds checking in the kernel’s memory management code — likely in how it handled some internal list or queue. Here’s a simplified C-like code snippet (not Apple’s real code, but to help understand the idea):

void add_element(int *array, int index, int value) {
    // Vulnerable: Does NOT check if index is within array bounds!
    array[index] = value;
}

A safe version would check if index is outside the allowed range

void add_element(int *array, int index, int value, int max_length) {
    if (index <  || index >= max_length) {
        // Error: Out of bounds!
        return;
    }
    array[index] = value;
}

In the kernel, a similar missing check allowed data to be written past the intended buffer, corrupting sensitive kernel structures.

Exploit Details

While Apple did not publish exploit code, researchers and hackers typically use the following steps to exploit out-of-bounds write bugs like this on iOS:

1. Find a Place to Write: Figure out how to control the input so you can "poke" (write) arbitrary memory, ideally near something the kernel will use (like a function pointer).

Craft the Payload: Place just the right code in memory for the kernel to accidentally run it.

3. Trigger the Crash or Code Execution: Cause the out-of-bounds write to overwrite a critical value with your own code pointer.
4. Get Code Execution: When the system calls the overwritten function pointer, your malicious code runs in the kernel —a total device takeover.

For CVE-2022-42827, the initial exploit likely involved an app passing malformed data to a kernel service, such as for memory allocation, causing a write to spill over and corrupt adjacent kernel memory.

For a more detailed, real-world laboratory example, you can see this PoC (Proof-of-Concept) by Google Project Zero, which shows how similar vulnerabilities are found and exploited.

How Was It Fixed?

Apple addressed the issue by improving bounds checking in the kernel code — in simple terms, adding the missing check shown above.

> Patched in

> - iOS 15.7.1 and iPadOS 15.7.1
> - iOS 16.1 and iPadOS 16

They also updated their support documentation to highlight the risk, emphasizing the following

> Apple is aware of a report that this issue may have been actively exploited.

Was It Used in Real-World Attacks?

Yes, at the time of discovery, Apple stated that this vulnerability might have been actively exploited in the wild. This means hackers could have used it to break into iPhones or iPads, potentially targeting specific individuals (like activists, journalists, or others).

Any iPad running iPadOS before 15.7.1 or 16

Action Required: If you have an older iOS version and your device supports updates to 15.7.1 or later, you should update now.

References & Further Reading

- Apple security advisory: About the security content of iOS 15.7.1 and iPadOS 15.7.1
- Apple security update details for CVE-2022-42827: Apple Security Updates
- Blog post on similar exploits: Google Project Zero: "One Bad Apple"
- CVE details: CVE-2022-42827 at MITRE
- Threat research: Sophos threat report on iOS in-the-wild attacks

Summary

*CVE-2022-42827* was a high-impact out-of-bounds write bug in Apple's iOS and iPadOS kernel. It gave attackers the possibility to run any code on the device with the highest possible privileges. Apple quickly released a patch and urged all users to update. Given that this bug was potentially used in real-world attacks, keeping your device up to date is more important than ever.

Stay safe:

Timeline

Published on: 11/01/2022 20:15:00 UTC
Last modified on: 11/03/2022 13:33:00 UTC