CVE-2024-23225
Last modified
CVE-2024-23225 is a high-severity vulnerability rated 7.8/10 on the CVSS scale. A memory corruption issue was addressed with improved validation. This issue is fixed in iOS 16.7.6 and iPadOS 16.7.6, iOS 17.4 and iPadOS 17.4, macOS Monterey 12.7.4, macOS Sonoma 14.4, macOS Ventura 13.6.5, tvOS 17.4, visionOS 1.1, watchOS 10.4. CISA has confirmed active exploitation in the wild. EPSS estimates a 1.48% chance of exploitation in the next 30 days.
Description
A memory corruption issue was addressed with improved validation. This issue is fixed in iOS 16.7.6 and iPadOS 16.7.6, iOS 17.4 and iPadOS 17.4, macOS Monterey 12.7.4, macOS Sonoma 14.4, macOS Ventura 13.6.5, tvOS 17.4, visionOS 1.1, watchOS 10.4. An attacker with arbitrary kernel read and write capability may be able to bypass kernel memory protections. Apple is aware of a report that this issue may have been exploited.
Metrics
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Exploitation Status
This vulnerability is listed in CISA’s Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild. Federal agencies must remediate by .
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Apple | Ipados | < 16.7.6 |
| Apple | Ipados | >= 17.0, < 17.4 |
| Apple | Iphone Os | < 16.7.6 |
| Apple | Iphone Os | >= 17.0, < 17.4 |
| Apple | Macos | >= 12.0, < 12.7.4 |
| Apple | Macos | >= 13.0, < 13.6.5 |
| Apple | Macos | >= 14.0, < 14.4 |
| Apple | Tvos | < 17.4 |
| Apple | Visionos | < 1.1 |
| Apple | Watchos | < 10.4 |
References
- https://support.apple.com/en-us/120880Release Notes, Vendor Advisory
- https://support.apple.com/en-us/120881Release Notes, Vendor Advisory
- https://support.apple.com/en-us/120882Release Notes, Vendor Advisory
- https://support.apple.com/en-us/120883Release Notes, Vendor Advisory
- https://support.apple.com/en-us/120884Release Notes, Vendor Advisory
- https://support.apple.com/en-us/120886Release Notes, Vendor Advisory
- https://support.apple.com/en-us/120893Release Notes, Vendor Advisory
- https://support.apple.com/en-us/120895Release Notes, Vendor Advisory
- http://seclists.org/fulldisclosure/2024/Mar/18Mailing List, Third Party Advisory
- http://seclists.org/fulldisclosure/2024/Mar/19Mailing List, Third Party Advisory
- http://seclists.org/fulldisclosure/2024/Mar/21Mailing List, Third Party Advisory
- http://seclists.org/fulldisclosure/2024/Mar/22Mailing List, Third Party Advisory
- http://seclists.org/fulldisclosure/2024/Mar/23Mailing List, Third Party Advisory
- http://seclists.org/fulldisclosure/2024/Mar/24Mailing List, Third Party Advisory
- http://seclists.org/fulldisclosure/2024/Mar/25Mailing List, Third Party Advisory
- http://seclists.org/fulldisclosure/2024/Mar/26Mailing List, Third Party Advisory
- https://support.apple.com/en-us/HT214081Vendor Advisory
- https://support.apple.com/en-us/HT214082Vendor Advisory
- https://support.apple.com/kb/HT214082Vendor Advisory
- https://support.apple.com/kb/HT214083Vendor Advisory
- https://support.apple.com/kb/HT214084Vendor Advisory
- https://support.apple.com/kb/HT214085Vendor Advisory
- https://support.apple.com/kb/HT214086Vendor Advisory
- https://support.apple.com/kb/HT214087Vendor Advisory
- https://support.apple.com/kb/HT214088Vendor Advisory
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-23225US Government Resource
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2024-23225?
How severe is CVE-2024-23225?
How do I fix CVE-2024-23225?
Are you affected by CVE-2024-23225?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST