Apple has released new security updates to backport patches released earlier this week to older iPhones and iPads, addressing an actively exploited zero-day bug. The vulnerability (CVE-2022-42827) is the one Apple patched for iPhone and iPad devices this Monday, October 24. Potential attackers can use it to execute arbitrary code with kernel privileges if successfully exploited in attacks.
The out-of-bounds write issue was reported to Apple by an anonymous researcher. It is caused by the software being able to write data outside the boundaries of the memory buffer. This can result in data corruption, application crashes, and code execution due to undefined or unexpected results (also known as memory corruption) from subsequent data written to the buffer. With improved bounds checking, Apple addressed the zero-day vulnerability in iOS 15.7.1 and iPadOS 15.7.1 today.