Released July 20, 2022
APFS
Available for: macOS Catalina
Impact: An app with root privileges may be able to execute arbitrary code with kernel privileges
Description: The issue was addressed with improved memory handling.
CVE-2022-32832: Tommy Muir (@Muirey03)
AppleMobileFileIntegrity
Available for: macOS Catalina
Impact: An app may be able to gain root privileges
Description: An authorization issue was addressed with improved state management.
CVE-2022-32826: Mickey Jin (@patch1t) of Trend Micro
AppleScript
Available for: macOS Catalina
Impact: Processing a maliciously crafted AppleScript binary may result in unexpected termination or disclosure of process memory
Description: This issue was addressed with improved checks.
CVE-2022-32797: Mickey Jin (@patch1t), Ye Zhang (@co0py_Cat) of Baidu Security, Mickey Jin (@patch1t) of Trend Micro
AppleScript
Available for: macOS Catalina
Impact: Processing a maliciously crafted AppleScript binary may result in unexpected termination or disclosure of process memory
Description: An out-of-bounds read issue was addressed with improved input validation.
CVE-2022-32853: Ye Zhang(@co0py_Cat) of Baidu Security
CVE-2022-32851: Ye Zhang (@co0py_Cat) of Baidu Security
AppleScript
Available for: macOS Catalina
Impact: Processing a maliciously crafted AppleScript binary may result in unexpected termination or disclosure of process memory
Description: An out-of-bounds read was addressed with improved bounds checking.
CVE-2022-32831: Ye Zhang (@co0py_Cat) of Baidu Security
Audio
Available for: macOS Catalina
Impact: An app may be able to execute arbitrary code with kernel privileges
Description: An out-of-bounds write issue was addressed with improved input validation.
CVE-2022-32820: an anonymous researcher
Calendar
Available for: macOS Catalina
Impact: An app may be able to access sensitive user information
Description: The issue was addressed with improved handling of caches.
CVE-2022-32805: Csaba Fitzl (@theevilbit) of Offensive Security
Calendar
Available for: macOS Catalina
Impact: An app may be able to access user-sensitive data
Description: An information disclosure issue was addressed by removing the vulnerable code.
CVE-2022-32849: Joshua Jones
CoreText
Available for: macOS Catalina
Impact: A remote user may cause an unexpected app termination or arbitrary code execution
Description: The issue was addressed with improved bounds checks.
CVE-2022-32839: STAR Labs (@starlabs_sg)
FaceTime
Available for: macOS Catalina
Impact: An app with root privileges may be able to access private information
Description: This issue was addressed by enabling hardened runtime.
CVE-2022-32781: Wojciech Reguła (@_r3ggi) of SecuRing
File System Events
Available for: macOS Catalina
Impact: An app may be able to gain root privileges
Description: A logic issue was addressed with improved state management.
CVE-2022-32819: Joshua Mason of Mandiant
ICU
Available for: macOS Catalina
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: An out-of-bounds write issue was addressed with improved bounds checking.
CVE-2022-32787: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs & DNSLab, Korea Univ.
ImageIO
Available for: macOS Catalina
Impact: Processing an image may lead to a denial-of-service
Description: A null pointer dereference was addressed with improved validation.
CVE-2022-32785: Yiğit Can YILMAZ (@yilmazcanyigit)
Intel Graphics Driver
Available for: macOS Catalina
Impact: An app may be able to execute arbitrary code with kernel privileges
Description: The issue was addressed with improved memory handling.
CVE-2022-32812: Yinyi Wu (@3ndy1), ABC Research s.r.o.
Intel Graphics Driver
Available for: macOS Catalina
Impact: An app may be able to execute arbitrary code with kernel privileges
Description: A memory corruption vulnerability was addressed with improved locking.
CVE-2022-32811: ABC Research s.r.o
Kernel
Available for: macOS Catalina
Impact: An app with root privileges may be able to execute arbitrary code with kernel privileges
Description: The issue was addressed with improved memory handling.
CVE-2022-32815: Xinru Chi of Pangu Lab
CVE-2022-32813: Xinru Chi of Pangu Lab
libxml2
Available for: macOS Catalina
Impact: An app may be able to leak sensitive user information
Description: A memory initialization issue was addressed with improved memory handling.
CVE-2022-32823
PackageKit
Available for: macOS Catalina
Impact: An app may be able to modify protected parts of the file system
Description: An issue in the handling of environment variables was addressed with improved validation.
CVE-2022-32786: Mickey Jin (@patch1t)
PackageKit
Available for: macOS Catalina
Impact: An app may be able to modify protected parts of the file system
Description: This issue was addressed with improved checks.
CVE-2022-32800: Mickey Jin (@patch1t)
PluginKit
Available for: macOS Catalina
Impact: An app may be able to read arbitrary files
Description: A logic issue was addressed with improved state management.
CVE-2022-32838: Mickey Jin (@patch1t) of Trend Micro
PS Normalizer
Available for: macOS Catalina
Impact: Processing a maliciously crafted Postscript file may result in unexpected app termination or disclosure of process memory
Description: An out-of-bounds write issue was addressed with improved bounds checking.
CVE-2022-32843: Kai Lu of Zscaler's ThreatLabz
SMB
Available for: macOS Catalina
Impact: An app may be able to gain elevated privileges
Description: An out-of-bounds read issue was addressed with improved input validation.
CVE-2022-32842: Sreejith Krishnan R (@skr0x1c0)
SMB
Available for: macOS Catalina
Impact: A user in a privileged network position may be able to leak sensitive information
Description: An out-of-bounds read issue was addressed with improved bounds checking.
CVE-2022-32799: Sreejith Krishnan R (@skr0x1c0)
Software Update
Available for: macOS Catalina
Impact: A user in a privileged network position can track a user’s activity
Description: This issue was addressed by using HTTPS when sending information over the network.
CVE-2022-32857: Jeffrey Paul (sneak.berlin)
Spindump
Available for: macOS Catalina
Impact: An app may be able to overwrite arbitrary files
Description: This issue was addressed with improved file handling.
CVE-2022-32807: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab
Spotlight
Available for: macOS Catalina
Impact: An app may be able to gain elevated privileges
Description: A validation issue in the handling of symlinks was addressed with improved validation of symlinks.
CVE-2022-26704: Joshua Mason of Mandiant
TCC
Available for: macOS Catalina
Impact: An app may be able to access sensitive user information
Description: An access issue was addressed with improvements to the sandbox.
CVE-2022-32834: Zhipeng Huo (@R3dF09) and Yuebin Sun (@yuebinsun2020) of Tencent Security Xuanwu Lab (xlab.tencent.com)
Vim
Available for: macOS Catalina
Impact: Multiple issues in Vim
Description: Multiple issues were addressed by updating Vim.
CVE-2021-4136
CVE-2021-4166
CVE-2021-4173
CVE-2021-4187
CVE-2021-4192
CVE-2021-4193
CVE-2021-46059
CVE-2022-0128
Wi-Fi
Available for: macOS Catalina
Impact: A remote user may be able to cause unexpected system termination or corrupt kernel memory
Description: This issue was addressed with improved checks.
CVE-2022-32847: Wang Yu of Cyberserval
