Apple on Tuesday released out-of-band patches for iOS and macOS, to address two arbitrary code execution vulnerabilities in the libxml2 library.
Written in the C programming language and originally developed for the Gnome project, libxml2 is a software library for parsing XML documents.
Tracked as CVE-2022-40303 and CVE-2022-40304, the two vulnerabilities could lead to remote code execution. Apple has credited Google Project Zero security researchers for both issues.
“A remote user may be able to cause unexpected app termination or arbitrary code execution,” Apple notes for both security flaws.
The first of the flaws exists because the lack of specific limitations could lead to integer overflows. According to Apple, improved input validation resolved the issue.
In case of the second vulnerability, in specific conditions, memory errors such as double-free bugs could emerge. Apple says that improved checks fixed the defect.
Apple addressed the flaws with the release of macOS Ventura 13.0.1 and iOS 16.1.1 and iPadOS 16.1.1 (for iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th gen and later, and iPad mini 5th gen and later).
Apple has made no mention of any of the vulnerabilities being exploited in attacks.
However, proof-of-concept (PoC) code targeting CVE-2022-40303, as well as full technical details on CVE-2022-40304 have been published online, which explains why Apple rushed the fixes.
Related: Apple Rolls Out Xcode Update Patching Git Vulnerabilities

More from Ionut Arghire
- 820k Impacted by Data Breach at Zacks Investment Research
- US Government Agencies Warn of Malicious Use of Remote Management Software
- Chinese Hackers Adopting Open Source ‘SparkRAT’ Tool
- CISA Provides Resources for Securing K-12 Education System
- Strata Raises $26 Million for Multi-Cloud Identity Management Platform
- Riot Games Says Source Code Stolen in Ransomware Attack
- Arm Vulnerability Leads to Code Execution, Root on Pixel 6 Phones
- Attacks Targeting Realtek SDK Vulnerability Ramping Up
Latest News
- Cyberattacks Target Websites of German Airports, Admin
- US Infiltrates Big Ransomware Gang: ‘We Hacked the Hackers’
- Tenable Launches $25 Million Early-Stage Venture Fund
- 820k Impacted by Data Breach at Zacks Investment Research
- Mapping Threat Intelligence to the NIST Compliance Framework Part 2
- Hive Ransomware Operation Shut Down by Law Enforcement
- US Government Agencies Warn of Malicious Use of Remote Management Software
- UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies
