Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2024-23222

CVE-2024-23222: Apple Safari RCE Vulnerability

CVE-2024-23222 is a type confusion remote code execution vulnerability in Apple Safari that allows arbitrary code execution via malicious web content. This article covers technical details, affected versions, and patches.

Updated:

CVE-2024-23222 Overview

CVE-2024-23222 is a type confusion vulnerability in Apple's WebKit browser engine affecting Safari, iOS, iPadOS, macOS, tvOS, and visionOS. Processing maliciously crafted web content can lead to arbitrary code execution. Apple addressed the issue with improved checks across multiple platform updates.

The vulnerability is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild. The fix associated with the Coruna exploit shipped in iOS 17.3 on January 22, 2024, and Apple later backported the patch to older devices that cannot upgrade to the latest iOS version. The flaw is classified as CWE-843 (Access of Resource Using Incompatible Type).

Critical Impact

A remote attacker can achieve arbitrary code execution on Apple devices by luring a user to visit a malicious webpage. Confirmed exploited in the wild per CISA KEV.

Affected Products

  • Apple Safari (prior to 17.3)
  • Apple iOS and iPadOS (15.8.7, 16.7.5, 17.3 patches)
  • Apple macOS Monterey 12.7.3, Ventura 13.6.4, Sonoma 14.3
  • Apple tvOS 17.3 and visionOS 1.0.2

Discovery Timeline

  • 2024-01-22 - Apple ships fix for the Coruna exploit in iOS 17.3
  • 2024-01-23 - CVE-2024-23222 published to NVD
  • 2026-04-03 - Last updated in NVD database

Technical Details for CVE-2024-23222

Vulnerability Analysis

The vulnerability is a type confusion issue in WebKit, the browser engine that powers Safari and all third-party browsers on iOS. Type confusion occurs when code allocates or accesses an object using one type but treats it as a different, incompatible type at runtime. This mismatch lets attackers manipulate memory in ways the original type system was designed to prevent.

In JavaScript engines like JavaScriptCore inside WebKit, type confusion typically arises in just-in-time (JIT) compiled code paths or in object property access optimizations. When the engine assumes a stale or incorrect type for an object, attackers can read or write outside intended boundaries. This primitive is commonly chained with heap shaping and ROP/JOP techniques to achieve arbitrary code execution in the WebContent process.

Apple's advisory confirms the fix involved adding stricter type checks. Public technical details remain limited, consistent with Apple's standard handling of in-the-wild exploits.

Root Cause

The root cause is insufficient type validation when processing specific web content constructs. WebKit accessed a resource using an incompatible type [CWE-843], allowing an attacker-controlled object to be interpreted as a different internal type and break memory safety invariants.

Attack Vector

Exploitation is remote and requires user interaction. The target must load attacker-controlled web content in Safari or any iOS browser using WebKit. Delivery vectors include malicious URLs sent via phishing, smishing, watering-hole attacks, or malicious advertising loaded inside webviews. Successful exploitation grants code execution within the renderer process and is typically paired with a sandbox escape for full device compromise.

Verified public exploitation code is not available. The vulnerability is referenced as the Coruna exploit per Apple's advisory and is listed in CISA KEV. See the CISA Known Exploited Vulnerabilities entry and Apple Support Document 118479 for vendor details.

Detection Methods for CVE-2024-23222

Indicators of Compromise

  • Unexpected Safari or WebKit-based browser crashes, particularly com.apple.WebKit.WebContent process termination, recorded in device diagnostics.
  • Outbound connections from iOS or macOS devices to known malicious or newly registered domains hosting JavaScript-heavy payloads.
  • Unusual configuration profiles, mobile device management (MDM) enrollments, or background processes appearing shortly after browsing activity.
  • Anomalous spikes in JavaScript execution time or memory usage logged on enterprise-managed Safari deployments.

Detection Strategies

  • Inventory all Apple devices and compare installed OS and Safari versions against the patched versions listed in Apple's advisories.
  • Hunt for browser process crashes correlated with visits to suspicious URLs in proxy and DNS logs.
  • Monitor for post-exploitation behaviors such as unauthorized profile installation, keychain access, or new launch agents on macOS.

Monitoring Recommendations

  • Centralize Safari telemetry, MDM compliance posture, and DNS resolution logs to identify drive-by attempts.
  • Subscribe to CISA KEV and Apple security update feeds and trigger alerts on devices that fall behind required patch levels.
  • Track threat intelligence on WebKit zero-day campaigns and add associated indicators to perimeter and endpoint blocklists.

How to Mitigate CVE-2024-23222

Immediate Actions Required

  • Update all Apple devices to Safari 17.3, iOS/iPadOS 15.8.7, 16.7.5, or 17.3 and later, macOS Monterey 12.7.3, Ventura 13.6.4, Sonoma 14.3, tvOS 17.3, or visionOS 1.0.2.
  • Prioritize patching for executive, developer, and high-risk users who handle sensitive data or credentials.
  • Enable automatic updates on managed Apple fleets through MDM to close the window for future WebKit zero-days.
  • Enable Lockdown Mode on iOS and macOS for individuals at elevated risk of targeted attacks.

Patch Information

Apple released patches across its product lines. Reference Apple Support Document 120304, Apple Support Document 120305, Apple Support Document 120307, and Apple Support Document 118479 for version-specific guidance. Federal agencies are required to remediate per the CISA KEV catalog.

Workarounds

  • If immediate patching is not possible, restrict browsing on unpatched devices to a curated allowlist of trusted domains via MDM web content filtering.
  • Disable JavaScript in Safari for unpatched, high-risk users until updates are applied (Settings → Safari → Advanced → JavaScript).
  • Enable Lockdown Mode on supported devices to reduce WebKit attack surface.
  • Block known malicious infrastructure associated with WebKit exploitation campaigns at network egress points.
bash
# Verify macOS version is patched
sw_vers -productVersion

# Trigger software update check on macOS
sudo softwareupdate -l
sudo softwareupdate -ia --restart

# Verify Safari version on macOS
defaults read /Applications/Safari.app/Contents/Info CFBundleShortVersionString

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne