About the security content of macOS Monterey 12.6

This document describes the security content of macOS Monterey 12.6.

About Apple security updates

For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page.

Apple security documents reference vulnerabilities by CVE-ID when possible.

For more information about security, see the Apple Product Security page.

macOS Monterey 12.6

Released September 12, 2022

AppleMobileFileIntegrity

Available for: macOS Monterey

Impact: An app may be able to access user-sensitive data

Description: An issue in code signature validation was addressed with improved checks.

CVE-2022-42789: Koh M. Nakagawa of FFRI Security, Inc.

Entry added October 27, 2022

ATS

Available for: macOS Monterey

Impact: An app may be able to bypass Privacy preferences

Description: A logic issue was addressed with improved state management.

CVE-2022-32902: Mickey Jin (@patch1t)

Entry added October 27, 2022

ATS

Available for: macOS Monterey

Impact: An app may be able to access user-sensitive data

Description: An access issue was addressed with additional sandbox restrictions.

CVE-2022-32904: Mickey Jin (@patch1t)

Entry added October 27, 2022

ATS

Available for: macOS Monterey

Impact: An app may be able to bypass Privacy preferences

Description: A logic issue was addressed with improved state management.

CVE-2022-32902: Mickey Jin (@patch1t)

Calendar

Available for: macOS Monterey

Impact: An app may be able to read sensitive location information

Description: An access issue was addressed with improved access restrictions.

CVE-2022-42819: an anonymous researcher

Entry added October 27, 2022

GarageBand

Available for: macOS Monterey

Impact: An app may be able to access user-sensitive data

Description: A configuration issue was addressed with additional restrictions.

CVE-2022-32877: Wojciech Reguła (@_r3ggi) of SecuRing

Entry added October 27, 2022

ImageIO

Available for: macOS Monterey

Impact: Processing an image may lead to a denial-of-service

Description: A denial-of-service issue was addressed with improved validation.

CVE-2022-1622

Entry added October 27, 2022

Image Processing

Available for: macOS Monterey

Impact: A sandboxed app may be able to determine which app is currently using the camera

Description: The issue was addressed with additional restrictions on the observability of app states.

CVE-2022-32913: Yiğit Can YILMAZ (@yilmazcanyigit)

Entry added October 27, 2022

iMovie

Available for: macOS Monterey

Impact: A user may be able to view sensitive user information

Description: This issue was addressed by enabling hardened runtime.

CVE-2022-32896: Wojciech Reguła (@_r3ggi)

Kernel

Available for: macOS Monterey

Impact: Connecting to a malicious NFS server may lead to arbitrary code execution with kernel privileges

Description: The issue was addressed with improved bounds checks.

CVE-2022-46701: Felix Poulin-Belanger

Entry added May 11, 2023

Kernel

Available for: macOS Monterey

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2022-32914: Zweig of Kunlun Lab

Entry added October 27, 2022

Kernel

Available for: macOS Monterey

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2022-32911: Zweig of Kunlun Lab

CVE-2022-32866: Linus Henze of Pinauten GmbH (pinauten.de)

CVE-2022-32924: Ian Beer of Google Project Zero

Entry updated October 27, 2022

Kernel

Available for: macOS Monterey

Impact: An app may be able to disclose kernel memory

Description: The issue was addressed with improved memory handling.

CVE-2022-32864: Linus Henze of Pinauten GmbH (pinauten.de)

Kernel

Available for: macOS Monterey

Impact: An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.

Description: The issue was addressed with improved bounds checks.

CVE-2022-32917: an anonymous researcher

Maps

Available for: macOS Monterey

Impact: An app may be able to read sensitive location information

Description: A logic issue was addressed with improved restrictions.

CVE-2022-32883: Ron Masas of breakpointhq.com

Entry updated October 27, 2022

MediaLibrary

Available for: macOS Monterey

Impact: A user may be able to elevate privileges

Description: A memory corruption issue was addressed with improved input validation.

CVE-2022-32908: an anonymous researcher

ncurses

Available for: macOS Monterey

Impact: A user may be able to cause unexpected app termination or arbitrary code execution

Description: A buffer overflow was addressed with improved bounds checking.

CVE-2021-39537

Entry added October 27, 2022

Notes

Available for: macOS Monterey

Impact: A user in a privileged network position may be able to track user activity

Description: This issue was addressed with improved data protection.

CVE-2022-42818: Gustav Hansen from WithSecure

Entry added December 22, 2022

PackageKit

Available for: macOS Monterey

Impact: An app may be able to gain elevated privileges

Description: A logic issue was addressed with improved state management.

CVE-2022-32900: Mickey Jin (@patch1t)

Sandbox

Available for: macOS Monterey

Impact: An app may be able to modify protected parts of the file system

Description: A logic issue was addressed with improved restrictions.

CVE-2022-32881: Csaba Fitzl (@theevilbit) of Offensive Security

Entry added October 27, 2022

Security

Available for: macOS Monterey

Impact: An app may be able to bypass code signing checks

Description: An issue in code signature validation was addressed with improved checks.

CVE-2022-42793: Linus Henze of Pinauten GmbH (pinauten.de)

Entry added October 27, 2022

Sidecar

Available for: macOS Monterey

Impact: A user may be able to view restricted content from the lock screen

Description: A logic issue was addressed with improved state management.

CVE-2022-42790: Om kothawade of Zaprico Digital

Entry added October 27, 2022

SMB

Available for: macOS Monterey

Impact: A remote user may be able to cause kernel code execution

Description: The issue was addressed with improved memory handling.

CVE-2022-32934: Felix Poulin-Belanger

Entry added October 27, 2022

Vim

Available for: macOS Monterey

Impact: Processing a maliciously crafted file may lead to unexpected app termination or arbitrary code execution

Description: An out-of-bounds write issue was addressed with improved input validation.

CVE-2022-0261

CVE-2022-0318

CVE-2022-0319

CVE-2022-0351

CVE-2022-0359

CVE-2022-0361

CVE-2022-0368

CVE-2022-0392

Entry added October 27, 2022

Vim

Available for: macOS Monterey

Impact: Processing a maliciously crafted file may lead to a denial-of-service or potentially disclose memory contents

Description: This issue was addressed with improved checks.

CVE-2022-1720

CVE-2022-2000

CVE-2022-2042

CVE-2022-2124

CVE-2022-2125

CVE-2022-2126

Entry added October 27, 2022

Weather

Available for: macOS Monterey

Impact: An app may be able to read sensitive location information

Description: A logic issue was addressed with improved state management.

CVE-2022-32875: an anonymous researcher

Entry added October 27, 2022

WebKit

Available for: macOS Monterey

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: An out-of-bounds write issue was addressed with improved bounds checking.

WebKit Bugzilla: 242047

CVE-2022-32888: P1umer (@p1umer)

Entry added October 27, 2022

Additional recognition

apache

We would like to acknowledge Tricia Lee of Enterprise Service Center for their assistance.

Entry added May 11, 2023

Identity Services

We would like to acknowledge Joshua Jones for their assistance.

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.

Published Date: