Apple on Tuesday released out-of-band patches for iOS and macOS, to address two arbitrary code execution vulnerabilities in the libxml2 library.
Written in the C programming language and originally developed for the Gnome project, libxml2 is a software library for parsing XML documents.
Tracked as CVE-2022-40303 and CVE-2022-40304, the two vulnerabilities could lead to remote code execution. Apple has credited Google Project Zero security researchers for both issues.
“A remote user may be able to cause unexpected app termination or arbitrary code execution,” Apple notes for both security flaws.
The first of the flaws exists because the lack of specific limitations could lead to integer overflows. According to Apple, improved input validation resolved the issue.
In case of the second vulnerability, in specific conditions, memory errors such as double-free bugs could emerge. Apple says that improved checks fixed the defect.
Apple addressed the flaws with the release of macOS Ventura 13.0.1 and iOS 16.1.1 and iPadOS 16.1.1 (for iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th gen and later, and iPad mini 5th gen and later).
Apple has made no mention of any of the vulnerabilities being exploited in attacks.
However, proof-of-concept (PoC) code targeting CVE-2022-40303, as well as full technical details on CVE-2022-40304 have been published online, which explains why Apple rushed the fixes.
Related: Apple Rolls Out Xcode Update Patching Git Vulnerabilities
Related: Apple Fixes Exploited Zero-Day With iOS 16.1 Patch
Related: Apple Warns of macOS Kernel Zero-Day Exploitation

More from Ionut Arghire
- Information of 2.5M People Stolen in Ransomware Attack at Massachusetts Health Insurer
- US, South Korea Detail North Korea’s Social Engineering Techniques
- High-Severity Vulnerabilities Patched in Splunk Enterprise
- Enzo Biochem Ransomware Attack Exposes Information of 2.5M Individuals
- Google Temporarily Offering $180,000 for Full Chain Chrome Exploit
- Toyota Discloses New Data Breach Involving Vehicle, Customer Information
- Adobe Inviting Researchers to Private Bug Bounty Program
- Critical Vulnerabilities Found in Faronics Education Software
Latest News
- Insider Q&A: Artificial Intelligence and Cybersecurity In Military Tech
- In Other News: Government Use of Spyware, New Industrial Security Tools, Japan Router Hack
- OpenAI Unveils Million-Dollar Cybersecurity Grant Program
- Galvanick Banks $10 Million for Industrial XDR Technology
- Information of 2.5M People Stolen in Ransomware Attack at Massachusetts Health Insurer
- US, South Korea Detail North Korea’s Social Engineering Techniques
- High-Severity Vulnerabilities Patched in Splunk Enterprise
- Idaho Hospitals Working to Resume Full Operations After Cyberattack
