HighCISA KEVExploited in the wildPublic exploit

Arbitrary Code Execution in Apple WebKit/JavaScriptCore Web Content Processing

IdentifiersCVE-2022-48503CWE-787Also known asjacurutu

CVE-2022-48503 is an Apple WebKit/JavaScriptCore memory corruption vulnerability affecting multiple Apple platforms. Apple states the issue was addressed with improved bounds checks and that processing malicious web content may lead to arbitrary code execution. The flaw was fixed in tvOS 15.6, watchOS 8.7, iOS 15.6, iPadOS 15.6, macOS Monterey 12.5, and Safari 15.6. Supporting reporting further places the bug in the JavaScriptCore component and describes it as a WebContent read/write primitive used in the Coruna exploit kit against iOS 15.2 through 15.5 to obtain initial code execution in the browser renderer process.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can result in arbitrary code execution while processing attacker-controlled web content. In observed exploit chains, the vulnerability provided code execution and WebContent memory read/write capability in the Safari/WebKit renderer context, enabling attackers to establish the initial foothold for subsequent sandbox escape, PAC bypass, kernel exploitation, and payload delivery. On its own, impact is at least compromise of the targeted browser content process; when chained with additional vulnerabilities, it can contribute to full device compromise.

Mitigation

If you can’t patch tonight, do this now.

Where immediate patching is not possible, reduce exposure to untrusted web content, especially Safari-based browsing to unknown or suspicious sites. Enable Lockdown Mode on at-risk Apple devices where operationally feasible; supporting reporting indicates Coruna checks for Lockdown Mode and avoids such devices. Use web filtering/Safe Browsing protections to block known malicious domains and watering-hole infrastructure. Because exploitation is delivered via malicious web content, limiting browsing from vulnerable devices and isolating high-risk users can reduce risk until patches are applied.

Remediation

Patch, then assume compromise.

Apply Apple security updates that contain the fix for CVE-2022-48503: tvOS 15.6, watchOS 8.7, iOS 15.6, iPadOS 15.6, macOS Monterey 12.5, and Safari 15.6 or later. For legacy devices, install the latest available backported security updates provided by Apple. Prioritize patching internet-exposed and user-browsing devices, especially iPhones and iPads running vulnerable iOS/iPadOS builds.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

AppleIpadosoperating_system

AppleIphone Osoperating_system

AppleMacosoperating_system

AppleSafariapplication

AppleTvosoperating_system

AppleWatchosapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

22 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

22 SOURCESView more in app

socket blogNews

May 20, 2026

Coruna Respawned: Compromised art-template npm Package Leads...

A WebContent RCE exploit chain component in Coruna targeting iOS versions patched by iOS 15.6.

breakglass intelNews

Apr 2, 2026

PLASMAGRID: Inside an iOS Exploit Kit With 6 Cloudflare Accounts, a Custom DGA, and a Coordinated Law Enforcement Takedown - Breakglass Intelligence - Breakglass Intelligence

A WebKit vulnerability used in Coruna Stage 1 for older iOS versions to achieve initial code execution in the browser renderer process.

security affairsNews

Mar 20, 2026

Apple urges iPhone users to update as Coruna and DarkSword exploit kits emerge

A WebContent read/write exploit used as part of the Coruna iOS exploit kit.

centripetal threat researchNews

Mar 16, 2026

Coruna iOS Exploit Kit: Observed Traffic Across… | Centripetal

A WebKit out-of-bounds memory access vulnerability used in the Coruna exploit kit to aid memory access and bypass protections.

+7 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence13

Every observed campaign linking this CVE to a named adversary.

Associated malware18

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity11

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2022-48503

NVD

nvd.nist.gov/vuln/detail/CVE-2022-48503

MITRE CWE · CWE-787

cwe.mitre.org

Vendor Advisory

support.apple.com/en-us/HT213340

Vendor Advisory

support.apple.com/en-us/HT213341

Vendor Advisory

support.apple.com/en-us/HT213342

Vendor Advisory

support.apple.com/en-us/HT213345

Vendor Advisory

support.apple.com/en-us/HT213346

US Government Resource

cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-48503