An Autopsy on a Zombie In-the-Wild 0-day

Project Zero details the lifecycle of CVE-2022-22620, a WebKit/Safari use-after-free that was correctly fixed in 2013, accidentally reintroduced during large refactoring in 2016, and ultimately observed exploited in the wild in 2022; the post explains the code changes, test coverage, trigger path (loadInSameDocument → blur → replaceState), and lessons about regression risks during refactoring.