The U.S. Cybersecurity and Infrastructure Security Agency (CISA), an arm of the U.S. Department of Homeland Security, said on Jan. 30 that the issue, marked as CVE-2022-48618, can bypass "pointer authentication." It said that not fixing the bug could pose a "significant" risk to the U.S. "federal enterprise."

The bulletin also said that it issued a "binding operational directive" to issue updates to fix the problem, requiring federal civilian agencies to "remediate identified vulnerabilities by the due date to protect" its "networks against active threats."

According to CISA, the agencies were given about three weeks to patch the issue. The deadline was set for Feb. 21, 2024.

But CISA also warned that it "strongly urges all organizations," such as companies, to respond to the bug.

On a separate website, officials say that the issue has been fixed in macOS Ventura 13.1, watchOS 9.2, iOS 16.2 and, iPadOS 16.2, and tvOS 16.2. "An attacker with arbitrary read and write capability may be able to bypass Pointer Authentication. Apple is aware of a report that this issue may have been exploited against versions of iOS released before iOS 15.7.1," the bulletin said.

In a separate instance last month, CISA sent out an advisory for iPhone and other iOS users to update their products for another security issue.

"Apple has released security updates for iOS and iPadOS, macOS, Safari, watchOS, and tvOS. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system," said the agency on Jan. 23. It then recommended that users update their software.

As usual, Apple provided few details about the fixes in the latest update, which applies to iPhones and iPads. But one of the fixed issues, known as CVE-2024-23222, was a vulnerability in WebKit, which runs the Safari browser, that could allow an actor to execute code on a device.