{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/cpes/cpe2.3oapplevisionos/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*","cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*","cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*","cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*","cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*","cpe:2.3:o:apple:visionos:*:*:*:*:*:*:*:*"],"_cs_cves":[{"cvss":8.8,"id":"CVE-2024-23222"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Safari"],"_cs_severities":["critical"],"_cs_tags":["cve-2024-23222","type-confusion","sandbox-escape","webkit"],"_cs_type":"threat","_cs_vendors":["Apple"],"content_html":"\u003cp\u003eA public exploit was published demonstrating a type confusion vulnerability in Apple Safari, identified as CVE-2024-23222. This vulnerability affects Apple Safari on iOS 16.4.1. The exploit allows for a sandbox escape on iPhone X (A11 Bionic) devices. The exploit is delivered entirely as a single HTML page served over HTTP. The exploit code leverages a flaw in JavaScriptCore (JSC) related to the handling of \u003ccode\u003eFloat64Array\u003c/code\u003e and \u003ccode\u003eWebAssembly.Instance\u003c/code\u003e objects during garbage collection (GC). This can lead to arbitrary native function calls and ultimately a sandbox escape, allowing the attacker to write files to the filesystem outside of the Safari sandbox. The vulnerability was patched in iOS 17.3 and macOS 14.3.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe user visits a malicious webpage containing the exploit code.\u003c/li\u003e\n\u003cli\u003eThe exploit triggers CVE-2024-23222, a type confusion vulnerability in the JavaScriptCore (JSC) JIT engine.\u003c/li\u003e\n\u003cli\u003eThe type confusion occurs between a \u003ccode\u003eFloat64Array\u003c/code\u003e and a \u003ccode\u003eWebAssembly.Instance\u003c/code\u003e due to a race condition during garbage collection.\u003c/li\u003e\n\u003cli\u003eSuccessful exploitation allows the attacker to gain arbitrary read and write capabilities in memory, specifically addrof(obj), read64(addr), and write64(addr).\u003c/li\u003e\n\u003cli\u003eThe exploit leverages a CALLER_WASM module with a call_indirect to gain arbitrary native function call capability. ASLR slide discovery is performed statically.\u003c/li\u003e\n\u003cli\u003eThe exploit calls _getpid() and _getuid() to confirm arbitrary C function invocation and to determine the user context (mobile).\u003c/li\u003e\n\u003cli\u003eThe exploit calls _open(\u0026quot;/tmp/pwned_cve_2024_23222\u0026quot;) to escape the sandbox and creates a file on the filesystem.\u003c/li\u003e\n\u003cli\u003eThe exploit calls _write(fd, \u0026ldquo;PWNED\u0026hellip;\u0026rdquo;, 57) to write data to the file, confirming the sandbox escape.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2024-23222 leads to a sandbox escape in Apple Safari on iOS 16.4.1. This allows an attacker to perform actions outside the normal restrictions of the browser\u0026rsquo;s sandbox, such as writing arbitrary files to the filesystem. In the demonstrated exploit, a file named \u003ccode\u003e/tmp/pwned_cve_2024_23222\u003c/code\u003e is created with the content \u0026ldquo;PWNED CVE-2024-23222 WebKit sandbox escape on iOS 16.4.1\u0026rdquo;. While the provided exploit targets iOS 16.4.1 on an iPhone X, other devices and versions may be vulnerable until patched. The vulnerability was patched in iOS 17.3 and macOS 14.3.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor web server logs for requests to exploit-related URLs, such as \u003ccode\u003eexploit_stage2.html\u003c/code\u003e, \u003ccode\u003eexploit_23222.html\u003c/code\u003e, and \u003ccode\u003ecve-2023-*.html\u003c/code\u003e as mentioned in the file structure section of the report.\u003c/li\u003e\n\u003cli\u003eApply the latest security patches for iOS and macOS to mitigate CVE-2024-23222 as the vulnerability has been fixed in iOS 17.3 and macOS 14.3.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect potential exploitation attempts of CVE-2024-23222 by monitoring for unexpected file creations in \u003ccode\u003e/tmp/\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-19T11:01:36Z","date_published":"2026-05-19T11:01:36Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2024-23222-safari-type-confusion/","summary":"A type confusion vulnerability exists in Apple Safari, as detailed in CVE-2024-23222. A public exploit demonstrates successful exploitation of the vulnerability on iOS 16.4.1, leading to a sandbox escape, which has been patched in iOS 17.3 and macOS 14.3.","title":"CVE-2024-23222 Apple Safari Type Confusion Leading to Sandbox Escape","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2024-23222-safari-type-confusion/"}],"language":"en","title":"CraftedSignal Threat Feed — Cpe:2.3:o:apple:visionos:*:*:*:*:*:*:*:*","version":"https://jsonfeed.org/version/1.1"}