CVE-2022-22620

ENISA EUVD: EUVD-2022-27765 ↗

Exploited in the Wild ✓ Confirmed 0-Day ★ Google Project Zero

Triaged: March 5, 2026 7 articles Published: 2022-03-18

VulnLookup ↗ NVD ↗ EUVD ↗ MITRE ↗ Advisory ↗ P0 Sheet ↗ CISA KEV ↗

EPSS Score

Source: FIRST.org · 2026-05-23

4.02%

probability

This CVE has a 4.02% probability of being exploited in the next 30 days.

0% Top 88.6th percentile of all CVEs 100%

CVSS v3.1

Source: VulnerabilityLookup (CIRCL)

8.8

HIGH

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v2 (legacy)

6.8

MEDIUM

Access Vector

Network

Access Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

Description

VulnerabilityLookup (CNA)

A use after free issue was addressed with improved memory management. This issue is fixed in macOS Monterey 12.2.1, iOS 15.3.1 and iPadOS 15.3.1, Safari 15.3 (v. 16612.4.9.1.8 and 15612.4.9.1.8). Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited..

Affected Products

Apple

Safari (v and )

unspecified

Apple

macOS

unspecified

Apple

macOS

unspecified

apple

safari

apple

ipados

apple

iphone os

apple

macos

Apple

macOS

unspecified <15.3

Apple

Safari (v and )

unspecified <15.3

Apple

macOS

unspecified <12.2

Attack Intelligence

CWE-118 · Incorrect Access of Indexable Resource ('Range Error') CWE-119 · Buffer Overflow CWE-416 · Use After Free CWE-664 · Improper Control of a Resource Through its Lifetime CWE-666 · Operation on Resource in Wrong Phase of Lifetime CWE-672 · Operation on a Resource after Expiration or Release CWE-825 · Expired Pointer Dereference

Google Project Zero

Patched

Feb. 10, 2022

Reported by

???

Root Cause Analysis

https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2022/CVE-2022-22620.html

Exploits & PoC

springsec/CVE-2022-22620

Webkit (Safari) - Exploit

6 2022-08-09

kmeps4/CVE-2022-22620

CVE-2022-22620: Use-after-free in Safari

1 2023-04-14

2 repos — triés par ⭐ Rechercher sur GitHub ↗

https://support.apple.com/en-us/HT213091

x_refsource_MISC

https://support.apple.com/en-us/HT213092

x_refsource_MISC

https://support.apple.com/en-us/HT213093

x_refsource_MISC

https://security.gentoo.org/glsa/202208-39

vendor-advisory x_refsource_GENTOO

Signal Intelligence

Confidenceⓘ

95%

EPSS 4.02%

CVSS v3.1 8.8

Mentions 7

Last Seen May 16, 2022

CNA Information

CNA Assigner

apple

Analyst Note

Auto-imported from Google Project Zero — confirmed zero-day by definition.

Triage Info

Decided atMar 05, 2026

Published DateMar 18, 2022