CVE-2024-44308
Published: 20 November 2024
Summary
CVE-2024-44308 is a high-severity an unspecified weakness vulnerability in Apple Ipados. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 23.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-44308 is a vulnerability in Apple's web content processing components that was addressed through improved input validation checks. It affects Safari 18.1.1, iOS 17.7.2 and iPadOS 17.7.2, iOS 18.1.1 and iPadOS 18.1.1, macOS Sequoia 15.1.1, and visionOS 2.1.1. The flaw permits arbitrary code execution when maliciously crafted web content is processed, and carries a CVSS 3.1 score of 8.8 reflecting network attack vector, low complexity, and no required privileges.
An unauthenticated remote attacker can exploit the issue by serving malicious web content that a victim visits or renders, resulting in full arbitrary code execution on the target system with impacts to confidentiality, integrity, and availability. User interaction is required in the form of processing the crafted content.
Apple security advisories for the listed products confirm that the fixes are delivered via the updated releases and note that the issue may have been actively exploited in the wild against Intel-based Mac systems. The EPSS score rose from a low starting value to a recorded peak of 0.0186, indicating emerging post-disclosure exploitation interest that warrants renewed attention.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-41207
Vulnerability details
The issue was addressed with improved checks. This issue is fixed in Safari 18.1.1, iOS 17.7.2 and iPadOS 17.7.2, iOS 18.1.1 and iPadOS 18.1.1, macOS Sequoia 15.1.1, visionOS 2.1.1. Processing maliciously crafted web content may lead to arbitrary code execution.…
more
Apple is aware of a report that this issue may have been actively exploited on Intel-based Mac systems.
- CWE(s)
- KEV Date Added
- 21 November 2024
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the root cause by enforcing improved validation of untrusted web content before processing.
Requires prompt application of the vendor patches that remediate the input-validation flaw in Safari and related components.
Provides malicious-code detection and blocking mechanisms that can intercept exploitation attempts via crafted web content.