A type confusion issue was addressed with improved checks. This issue is fixed in Safari 17.3, iOS 15.8.7 and iPadOS 15.8.7, iOS 16.7.5 and iPadOS 16.7.5, iOS 17.3 and iPadOS 17.3, macOS Monterey 12.7.3, macOS Sonoma 14.3, macOS Ventura 13.6.4, tvOS 17.3, visionOS 1.0.2. Processing maliciously crafted web content may lead to arbitrary code execution. This fix associated with the Coruna exploit was shipped in iOS 17.3 on January 22, 2024. This update brings that fix to devices that cannot update to the latest iOS version.
Conclusion & alert: CVE-2024-23222 is rated Critical Active Threat (98.5/100): CVSS High severity, with high exploitation likelihood (EPSS 10.59%, 95th percentile). Core evidence: CISA KEV confirms active exploitation (added 2024-01-23) affecting Apple / Multiple Products. a weakness (CWE-843) Unauthenticated remote administrative access may be possible. EPSS rose +9.97% over the last day, indicating growing attacker interest. Mandatory action: The CISA remediation deadline has passed—treat as an emergency patch priority.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
: Apple Multiple Products WebKit Type Confusion Vulnerability · CISA KEV detail
: 2024-01-23
: 2024-02-13
: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.62% | 10.59% | +9.97% |
| 2 | 2026-05-29 | 0.91% | 0.62% | -0.29% |
| 3 | 2026-05-22 | — | 0.91% | — |
Full EPSS history (25 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 8.8 | 3.1 | HIGH |
|
2.8 | 5.9 | [email protected] |
| 8.8 | 3.1 | HIGH |
|
2.8 | 5.9 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 |
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
not yet assigned | CVE-2024-23222 not yet assigned priority: Debian including 2 source packages (webkit2gtk, wpewebkit), 10 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 8, open 2. | https://security-tracker.debian.org/tracker/CVE-2024-23222 |
gentoo
|
high | CVE-2024-23222: 1 GLSA(s) (202407-13), 1 atom(s) (net-libs/webkit-gtk); latest impact high. | https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2024-23222 |
redhat
|
high | — | https://access.redhat.com/security/cve/CVE-2024-23222 |
suse
|
high | CVE-2024-23222 severity important: SUSE including 132 source package names (WebKitGTK-4.0-lang-2.46.0-150400.4.91.1, WebKitGTK-4.0-lang-2.46.0-150600.12.12.1, …), 455 product×package rows across 46 product lines (SUSE Enterprise Storage 7.1, SUSE Liberty Linux 8, … (46 product lines)): Fixed 385, Known Not Affected 70. | https://www.suse.com/security/cve/CVE-2024-23222/ |
ubuntu
|
medium | CVE-2024-23222 medium priority: Ubuntu including 5 source packages (qtwebkit-opensource-src, qtwebkit-source, webkit2gtk, webkitgtk, wpewebkit), 45 status rows across 9 suites (bionic, focal, jammy, lunar, mantic, noble, trusty, upstream, xenial): ignored 22, DNE 16, needs-triage 3, released 3, not-affected 1. | https://ubuntu.com/security/CVE-2024-23222 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| apple | safari | < 17.3 | cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:* |
| apple | ipados | < 15.8.7 | cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:* |
| apple | ipados | >= 16.0, < 16.7.5 | cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:* |
| apple | ipados | >= 17.0, < 17.3 | cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:* |
| apple | iphone_os | < 15.8.7 | cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:* |
| apple | iphone_os | >= 16.0, < 16.7.5 | cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:* |
| apple | iphone_os | >= 17.0, < 17.3 | cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:* |
| apple | macos | >= 12.0, < 12.7.3 | cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:* |
| apple | macos | >= 13.0, < 13.6.4 | cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:* |
| apple | macos | >= 14.0, < 14.3 | cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:* |
| apple | tvos | < 17.3 | cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:* |
| apple | visionos | < 1.0.2 | cpe:2.3:o:apple:visionos:*:*:*:*:*:*:*:* |