May 19, 2022

Apple has released emergency updates to fix a zero-day vulnerability that can be exploited by attackers to target Mac and Apple Watch devices.

The bug, identified as CVE-2022-22675, is an out-of-bounds bug in the AppleAVD that allows apps to execute arbitrary code with kernel privileges. Apple has fixed the bug in macOS Big Sur 11.6, watchOS 8.6, and tvOS 15.5 with improved bounds checking.

Apple said in its security advisory released Monday that there are reports that the bug “may have been actively exploited,” but the company failed to release additional information about the attacks. By withholding information, updates can reach as many devices as possible before attackers pick up the details of the zero-day vulnerability.

Affected devices are Apple Watch Series 3 or later, Macs with macOS Big Sur, Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD.

While the zero-day vulnerability is only used in targeted attacks, users are strongly advised to install the latest macOS and watchOS security updates as soon as possible to block attack attempts.

The sources for this piece include an article in BleepingComputer.