Apple released emergency security updates in January 2024 to shut down a vulnerability that attackers were already exploiting through malicious websites to run code on iPhones. The flaw, tracked as CVE-2024-23222, sits in WebKit, the browser engine that powers Safari and every other browser on iOS. Because Apple requires all iPhone web browsing to route through WebKit, any user who visited a compromised site was exposed, no downloads or permission prompts required.
The patches arrived in iOS 17.3, iOS 16.7.5, iPadOS 17.3, iPadOS 16.7.5, macOS Sonoma 14.3, macOS Ventura 13.6.4, macOS Monterey 12.7.3, tvOS 17.3, and Safari 17.3. Apple confirmed in its security advisory that it was “aware of a report that this issue may have been exploited,” language the company reserves for vulnerabilities with confirmed real-world abuse.
Why this vulnerability is dangerous
CVE-2024-23222 is a type confusion bug, a class of flaw where the engine misidentifies the data type of an object while processing web content. When an attacker crafts a webpage that triggers this misidentification, it can corrupt memory in a way that lets malicious code execute with the privileges of the browser process. Type confusion vulnerabilities are prized by exploit developers because they can slip past the memory safety guardrails that modern operating systems use to block unauthorized code.
What makes this category of attack especially concerning is the lack of any user interaction beyond normal browsing. There is no suspicious attachment to open, no pop-up to approve. A single page load on a rigged site is enough. That low barrier is why Apple treated the fix as an out-of-cycle emergency rather than holding it for a routine update.
The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-23222 to its Known Exploited Vulnerabilities catalog, a list the agency maintains specifically for flaws with confirmed active exploitation. Federal civilian agencies are required to patch KEV-listed vulnerabilities within set deadlines, a policy that reflects how seriously the U.S. government treats entries on that list.
What remains unknown about the attacks
Neither Apple nor CISA has publicly identified who was behind the attacks or how many devices were compromised before the patch shipped. That gap is typical for zero-day browser exploits. Both nation-state intelligence services and commercial spyware vendors actively seek out WebKit vulnerabilities, and Apple almost never names threat actors in its advisories.
It also remains unclear whether the attacks were narrowly targeted or broadly deployed. State-sponsored operations tend to focus on high-value individuals such as journalists, human rights activists, and government officials. Broader campaigns, by contrast, sometimes poison advertising networks or inject exploit code into popular websites to cast a wider net. The distinction matters: it determines whether the average iPhone owner faced real personal risk or whether the threat was limited to a small number of specific targets. As of May 2026, no public report has definitively answered that question for this particular vulnerability.
Apple does not publish detailed data on how many users run specific iOS versions at any given time, so estimating the size of the population that was exposed before the patch is not possible with available numbers. The company has said that iOS adoption rates for major releases are generally high, but version-level granularity is not shared publicly.
How Apple’s advisory language works
Apple’s phrasing that it was “aware of a report” that the flaw “may have been exploited” sounds tentative, but security researchers who track Apple’s disclosure patterns treat it as a near-confirmation. Will Strafach, CEO of Guardian Firewall and a longtime iOS security researcher, has noted that Apple’s legal and communications teams use this hedged construction consistently, even when internal evidence of active attacks is strong. Apple has never used more direct language in a public advisory for any of the more than 20 zero-days it patched across 2023 and early 2024.
The National Vulnerability Database entry at NIST cross-references Apple’s advisory and assigns a severity score based on the flaw’s technical characteristics. When an NVD record links to CISA’s KEV catalog, it signals a higher tier of real-world risk than a standard vulnerability disclosure. For security teams at corporations, hospitals, and government agencies, that combination of NVD severity rating and KEV listing is the clearest institutional signal to prioritize a patch immediately.
Steps for verifying your device is patched
If you have not updated your iPhone since January 2024, your device may still be running a vulnerable version of iOS. Open Settings, tap General, then tap Software Update and install whatever is available. Users on older hardware that cannot run iOS 17 should look for iOS 16.7.5 or later. Automatic updates, if enabled, likely applied the fix months ago, but checking manually is the only way to confirm.
The same advice applies to iPad, Mac, and Apple TV owners. Apple patched the same WebKit flaw across iPadOS, macOS Sonoma, macOS Ventura, macOS Monterey, and tvOS in coordinated releases. Anyone managing multiple Apple devices should verify each one individually, since automatic update settings and timing can vary across products.
This was Apple’s first confirmed zero-day patch of 2024, following a year in which the company addressed 20 actively exploited vulnerabilities. That pace underscores a broader reality: keeping software current is not optional hygiene. It is the single most effective defense against the kind of silent, web-based attacks that this patch was built to stop.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
