CVE-2024-23222 is a type confusion vulnerability in Apple Safari's WebKit engine that could allow an attacker to execute arbitrary code by processing maliciously crafted web content. The vulnerability was fixed by Apple through improved memory handling and additional checks in Safari 17.3, iOS 15.8.7, iOS 16.7.5, iPadOS 15.8.7, iPadOS 16.7.5, macOS Monterey 12.7.3, macOS Ventura 13.6.4, macOS Sonoma 14.3, tvOS 17.3, and visionOS 1.0.2. The fix addresses the Coruna exploit and extends support to devices that cannot update to the latest iOS version. The CVSS v3.1 base score is 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating that the vulnerability can be exploited remotely over the network with low attack complexity, no privileges required, but user interaction is needed. Successful exploitation could lead to full compromise of confidentiality, integrity, and availability of the affected system.

Successful exploitation of this vulnerability may allow an attacker to execute arbitrary code on the affected device with the privileges of the Safari process, potentially leading to full compromise of the device. The CVSS score of 8.8 reflects high impact on confidentiality, integrity, and availability. The vulnerability affects multiple Apple platforms and versions, including iOS, iPadOS, macOS, tvOS, and visionOS. There are no confirmed reports of active exploitation in the wild at the time of this advisory.

Apple has released official patches addressing CVE-2024-23222 in Safari 17.3 and multiple OS updates including iOS 15.8.7, iOS 16.7.5, iPadOS 15.8.7, iPadOS 16.7.5, macOS Monterey 12.7.3, macOS Ventura 13.6.4, macOS Sonoma 14.3, tvOS 17.3, and visionOS 1.0.2. Users and administrators should apply these updates promptly to mitigate the risk. Devices that cannot update to the latest OS versions have received backported fixes in these updates. No additional mitigation steps are indicated by the vendor advisory.